I am currently interacting with a legacy SDK, which is used to control hand reader hardware. It is a commercial SDK and product, and thus there is no way to access the hardware other than through this SDK.
我目前正在与传统SDK进行交互,后者用于控制手持阅读器硬件。它是商业SDK和产品,因此除了通过此SDK之外,无法访问硬件。
I am attempting to run SQL queries on the hand reader's database, and the SDK only provides one method for doing so, with the following signature:
我试图在手持阅读器的数据库上运行SQL查询,而SDK只提供了一种方法,具有以下签名:
handReader.QueryDB(string sqlStatement);
This thus implies that any query can be passed to that method in the form of a string. While this is simple, it immediately points towards possible SQL injection attacks.
因此,这意味着任何查询都可以以字符串的形式传递给该方法。虽然这很简单,但它立即指向可能的SQL注入攻击。
I do not have access to the method's workings, thus cannot see whether any detailed SQL prevention goes on within it. Thus, I would like to find a way to paramaterise the string, similar to paramaterised queries utilising the SqlCommand class.
我无法访问该方法的工作方式,因此无法查看是否在其中进行了任何详细的SQL预防。因此,我想找到一种对字符串进行参数化的方法,类似于使用SqlCommand类的paramaterised查询。
Is this possible?
这可能吗?
1 个解决方案
#1
0
I've implement a string format that works with names instead of numbers Here's my sql string:
我实现了一个字符串格式,它使用名称而不是数字这是我的sql字符串:
string sqlStr = @"select * from Table1 t1
where t1.field1 = @Field1 and IsActive = 1";
int F1 = 12;
sqlStr = sqlStr.NamedStringFormatSQL(new
{
Field1 = F1
});
And this is code for formatter:
这是格式化程序的代码:
public static Dictionary<string, object> AnonymousToDictionary(object value)
{
Dictionary<string, object> dic = new Dictionary<string, object>(StringComparer.OrdinalIgnoreCase);
if (value != null)
{
foreach (PropertyDescriptor descriptor in TypeDescriptor.GetProperties(value))
{
object obj2 = descriptor.GetValue(value);
dic.Add(descriptor.Name, obj2);
}
}
return dic;
}
public static string NamedStringFormatSQL(this string aString, object replacements)
{
Dictionary<string, object> keyValues = AnonymousToDictionary(replacements);
foreach (var item in keyValues)
{
string val = item.Value == null ? "null" : item.Value.ToString();
aString = aString.Replace("@" + item.Key, val);
}
return aString;
}
#1
0
I've implement a string format that works with names instead of numbers Here's my sql string:
我实现了一个字符串格式,它使用名称而不是数字这是我的sql字符串:
string sqlStr = @"select * from Table1 t1
where t1.field1 = @Field1 and IsActive = 1";
int F1 = 12;
sqlStr = sqlStr.NamedStringFormatSQL(new
{
Field1 = F1
});
And this is code for formatter:
这是格式化程序的代码:
public static Dictionary<string, object> AnonymousToDictionary(object value)
{
Dictionary<string, object> dic = new Dictionary<string, object>(StringComparer.OrdinalIgnoreCase);
if (value != null)
{
foreach (PropertyDescriptor descriptor in TypeDescriptor.GetProperties(value))
{
object obj2 = descriptor.GetValue(value);
dic.Add(descriptor.Name, obj2);
}
}
return dic;
}
public static string NamedStringFormatSQL(this string aString, object replacements)
{
Dictionary<string, object> keyValues = AnonymousToDictionary(replacements);
foreach (var item in keyValues)
{
string val = item.Value == null ? "null" : item.Value.ToString();
aString = aString.Replace("@" + item.Key, val);
}
return aString;
}