转义SQL查询 - 支持.Net中的不同数据库平台

时间:2023-01-16 18:17:04

Is there a .Net project/dll, that supports escaping of user supplied input to database queries for various database systems?

是否有.Net项目/ dll,支持将用户提供的输入转发到各种数据库系统的数据库查询?

I would like our entire team to standardize and use one module to perform escaping of user supplied input that will then be used in parameterized SQL queries.

我希望我们的整个团队标准化并使用一个模块来执行用户提供的输入转义,然后将在参数化SQL查询中使用。

Ideally, I would like to specify the database system (oracle, SqlServer, mySql, etc.) in the config file and be able to call Escape(variableName) and it would escape the string contents based on the current database setting in the web.config file.

理想情况下,我想在配置文件中指定数据库系统(oracle,SqlServer,mySql等)并能够调用Escape(variableName),它将根据Web中的当前数据库设置转义字符串内容。配置文件。

If not, the next best thing would be something like EscapeForOracle, EscapeForSqlServer, etc.

如果没有,那么下一个最好的东西就是EscapeForOracle,EscapeForSqlServer等。

At a minimum the project should support Oracle, SqlServer and MySql.

项目至少应该支持Oracle,SqlServer和MySql。

I am wondering if I need to create this in-house or if an existing commercial/open-source product exists to do this.

我想知道我是否需要在内部创建这个或者是否存在现有的商业/开源产品来实现这一点。

2 个解决方案

#1


I don't think you will need such a thing.

我认为你不需要这样的东西。

When running a parametrized query/stored procedure, use a parameters collection.
Specify appropriate data type, length, precision & supply a valid value.
Escaping will be done by DB provider.

运行参数化查询/存储过程时,请使用参数集合。指定适当的数据类型,长度,精度并提供有效值。转义将由DB提供商完成。

Let me know, if I have not understood your question correctly.

如果我没有正确理解您的问题,请告诉我。

#2


In .NET, you can use the generic classes like DbReader and DbConnection instead of SqlConnection. Like shahkalpesh and Lasse V. Karlsen said, you can use parameters and the framework or driver will handle the escaping for you.

在.NET中,您可以使用泛型类,如DbReader和DbConnection,而不是SqlConnection。像shahkalpesh和Lasse V. Karlsen所说,你可以使用参数,框架或驱动程序将为你处理逃逸。

But practically speaking, if you wish to develop a product for both Oracle and Sql Server, you're talking MAJOR overhead. Escaping correctly is just the tip of the iceberg. If you haven't installed an Oracle and a Sql Server test server, you probably haven't even started :)

但实际上,如果您希望为Oracle和Sql Server开发产品,那么您就是在谈论MAJOR开销。正确逃离只是冰山一角。如果您还没有安装Oracle和Sql Server测试服务器,您可能还没有开始:)

#1


I don't think you will need such a thing.

我认为你不需要这样的东西。

When running a parametrized query/stored procedure, use a parameters collection.
Specify appropriate data type, length, precision & supply a valid value.
Escaping will be done by DB provider.

运行参数化查询/存储过程时,请使用参数集合。指定适当的数据类型,长度,精度并提供有效值。转义将由DB提供商完成。

Let me know, if I have not understood your question correctly.

如果我没有正确理解您的问题,请告诉我。

#2


In .NET, you can use the generic classes like DbReader and DbConnection instead of SqlConnection. Like shahkalpesh and Lasse V. Karlsen said, you can use parameters and the framework or driver will handle the escaping for you.

在.NET中,您可以使用泛型类,如DbReader和DbConnection,而不是SqlConnection。像shahkalpesh和Lasse V. Karlsen所说,你可以使用参数,框架或驱动程序将为你处理逃逸。

But practically speaking, if you wish to develop a product for both Oracle and Sql Server, you're talking MAJOR overhead. Escaping correctly is just the tip of the iceberg. If you haven't installed an Oracle and a Sql Server test server, you probably haven't even started :)

但实际上,如果您希望为Oracle和Sql Server开发产品,那么您就是在谈论MAJOR开销。正确逃离只是冰山一角。如果您还没有安装Oracle和Sql Server测试服务器,您可能还没有开始:)