1  

This all depends on what data you are querying. The fact you are using JSON doesnt have anything to do with sql injection - its more of the calls to the database that would be a concern. On the server side do not form any dynamic sql. 1. Use stored procedures (and do not include any dynamic sql in a stored proc - if you do make sure you use sp_executesql and not exec, as sp_executesql can take a parameterized query 2. use parameterized queries 3. use an ORM (ex. entity framework) which uses parameterized queries behind the scenes anyways.

这一切都取决于您查询的数据。您使用JSON的事实与sql注入没有任何关系 - 它更多的是对数据库的调用,这将是一个问题。在服务器端不要形成任何动态sql。 1.使用存储过程(并且不要在存储过程中包含任何动态sql - 如果确实使用sp_executesql而不是exec,因为sp_executesql可以进行参数化查询2.使用参数化查询3.使用ORM(例如。实体框架)反正在幕后使用参数化查询。

try not to use any dynamic sql - if you must for some reason then make sure you use parameterized queries.

尽量不要使用任何动态SQL - 如果由于某种原因必须确保使用参数化查询。

then on your result from your controller simply return

然后根据您的控制器的结果返回

return Json(yourModel);