是否使用参数化的SqlCommand我的程序不受SQL注入？ [英] Does using parameterized SqlCommand make my program immune to SQL injection?

问题描述

我知道， SQL注入是相当危险的。现在，在我的C＃code我编写参数化查询与<一个href="http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.aspx"><$c$c>SqlCommand类：

I'm aware that SQL injection is rather dangerous. Now in my C# code I compose parameterized queries with SqlCommand class:

SqlCommand command = ...;
command.CommandText = "SELECT * FROM Jobs WHERE JobId = @JobId;";
command.Parameters.Add("@JobId", SqlDbType.UniqueIdentifier ).Value = actualGuid;
command.ExecuteNonQuery();

这会不会自动让我的code不受SQL注入？我必须做些额外的事情？

Will this automatically make my code immune to SQL injection? Do I have to do something extra?

推荐答案

我说你特别的，而且很可能规范，例如用于参数化查询，是的，它是足够了。

I'd say for your particular, and probably canonical, example for parametrized queries, yes it is sufficient.

然而，人们有时会写code这样

However, people sometimes write code like this

cmd.CommandText = string.Format("SELECT * FROM {0} WHERE col = @col;", tableName);
cmd.Parameters.Add("@col", ...);

，因为根本就没有办法通过自己的表名作为参数，并做了欲望存在，有时 - 误导或没有。这似乎是则常常被忽略，那tableName值（除非也许只有一组静态/常数值不从任何输入导出读）确实允许SQL注入。

because there is simply no way to pass the tablename itself as a parameter and the desire to do exists sometimes - misguided or not. It seems it is then often overlooked, that tableName (unless maybe only read from a set of static/constant values that do not derive from any input) indeed allows for SQL injection.

这篇关于是否使用参数化的SqlCommand我的程序不受SQL注入？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！