This question already has an answer here:
这个问题在这里已有答案:
- How does SQLParameter prevent SQL Injection? 4 answers
SQLParameter如何阻止SQL注入? 4个答案
Apologies if this seems a daft question but how does using parameters defends against SQL injection and what are the best practices in relation to T-SQL:
抱歉,如果这似乎是一个愚蠢的问题但是如何使用参数防止SQL注入以及与T-SQL相关的最佳实践:
For example: Is this best practice?
例如:这是最佳做法吗?
SqlCommand SqlCmd = new SqlCommand("SQL Command @X ....... @Y");
SqlCmd.CommandType = CommandType.Text;
SqlCmd.Parameters.AddWithValue("@X", SqlDbType.VarChar).Value = X;
SqlCmd.Parameters.AddWithValue("@Y", SqlDbType.date).Value = Y;
SqlCmd.Connection = ConnectionString;
2 个解决方案
#1
1
The best practice is to use SQL Parameters. Using the SqlParameterCollection (as in your example: SqlCmd.Parameters
) automatically provides you with:
最佳实践是使用SQL参数。使用SqlParameterCollection(如示例中所示:SqlCmd.Parameters)自动为您提供:
- Type checking
- Length validation
- Input is treated as a literal value rather than as executable code
- Handling of special characters normally involved in SQL injection attacks
输入被视为文字值而不是可执行代码
处理通常涉及SQL注入攻击的特殊字符
There are some additional best practices, including:
还有一些其他最佳实践,包括:
- Constrain and sanitize input data
- Use an account that has restricted permissions in the database
- Avoid disclosing database error information
约束和清理输入数据
使用在数据库中具有受限权限的帐户
避免泄露数据库错误信息
You'll find those best practices further described at this OWASP SQL Injection Prevention Cheat Sheet.
您将在本OWASP SQL注入预防备忘单中找到进一步描述的最佳实践。
#2
2
Yes, this code is safe from SQL injection.
是的,这段代码可以安全地从SQL注入。
The reason is that when working with parameters your passing the items as a value to your server and they will be interpreted as such.
原因是当使用参数时,将项目作为值传递给服务器,它们将被解释为这样。
If you would construct a string, SQL cannot know what the value is and what the query is and has to rely purely on syntax.
如果要构造一个字符串,SQL无法知道该值是什么以及查询是什么,并且必须完全依赖于语法。
#1
1
The best practice is to use SQL Parameters. Using the SqlParameterCollection (as in your example: SqlCmd.Parameters
) automatically provides you with:
最佳实践是使用SQL参数。使用SqlParameterCollection(如示例中所示:SqlCmd.Parameters)自动为您提供:
- Type checking
- Length validation
- Input is treated as a literal value rather than as executable code
- Handling of special characters normally involved in SQL injection attacks
输入被视为文字值而不是可执行代码
处理通常涉及SQL注入攻击的特殊字符
There are some additional best practices, including:
还有一些其他最佳实践,包括:
- Constrain and sanitize input data
- Use an account that has restricted permissions in the database
- Avoid disclosing database error information
约束和清理输入数据
使用在数据库中具有受限权限的帐户
避免泄露数据库错误信息
You'll find those best practices further described at this OWASP SQL Injection Prevention Cheat Sheet.
您将在本OWASP SQL注入预防备忘单中找到进一步描述的最佳实践。
#2
2
Yes, this code is safe from SQL injection.
是的,这段代码可以安全地从SQL注入。
The reason is that when working with parameters your passing the items as a value to your server and they will be interpreted as such.
原因是当使用参数时,将项目作为值传递给服务器,它们将被解释为这样。
If you would construct a string, SQL cannot know what the value is and what the query is and has to rely purely on syntax.
如果要构造一个字符串,SQL无法知道该值是什么以及查询是什么,并且必须完全依赖于语法。