I have a basic C# windows form that allows the user to update a specific field in our MySQL database from a Windows machine. What is the best way to check the string input values in the C# form in order to alter the string to include backslashes for comma's etc but also to prevent against any form of SQL injection?
我有一个基本的C#窗体,允许用户从Windows机器更新MySQL数据库中的特定字段。检查C#表单中的字符串输入值以便更改字符串以包含逗号等的反斜杠以及防止任何形式的SQL注入的最佳方法是什么?
Many thanks.
1 个解决方案
#1
1
Generally the quickest approach I've seen is to use an ISAPI filter, like these:
通常我见过的最快的方法是使用ISAPI过滤器,如下所示:
http://www.iis.net/extensions/UrlScan
http://iis6sqlinjection.codeplex.com/
You should also be using Parameter Commands with Stored Procedures.
您还应该使用带有存储过程的参数命令。
While your doing this you maze well protect against XSS attacks too, here a fantastic article: http://corneliutusnea.wordpress.com/2009/12/11/xss-attack-your-database-to-detect-missing-output-encoding/
虽然你这样做你迷宫很好,也可以防止XSS攻击,这里有一篇很棒的文章:http://corneliutusnea.wordpress.com/2009/12/11/xss-attack-your-database-to-detect-missing-output-编码/
#1
1
Generally the quickest approach I've seen is to use an ISAPI filter, like these:
通常我见过的最快的方法是使用ISAPI过滤器,如下所示:
http://www.iis.net/extensions/UrlScan
http://iis6sqlinjection.codeplex.com/
You should also be using Parameter Commands with Stored Procedures.
您还应该使用带有存储过程的参数命令。
While your doing this you maze well protect against XSS attacks too, here a fantastic article: http://corneliutusnea.wordpress.com/2009/12/11/xss-attack-your-database-to-detect-missing-output-encoding/
虽然你这样做你迷宫很好,也可以防止XSS攻击,这里有一篇很棒的文章:http://corneliutusnea.wordpress.com/2009/12/11/xss-attack-your-database-to-detect-missing-output-编码/