如何将SQL查询重写为参数化查询?
问题描述:
我听说我可以通过使用参数化查询来防止SQL注入攻击,但我不知道如何编写它们。如何将SQL查询重写为参数化查询?
我该如何将以下内容写入参数化查询?
SqlConnection con = new SqlConnection(
"Data Source=" + globalvariables.hosttxt + "," + globalvariables.porttxt + "\\SQLEXPRESS;" +
"Database=ha;" +
"Persist Security Info=false;" +
"UID='" + globalvariables.user + "';" +
"PWD='" + globalvariables.psw + "'");
string query = "SELECT distinct ha FROM app WHERE 1+1=2";
if (comboBox1.Text != "")
{
query += " AND firma = '" + comboBox1.Text + "'";
}
if (comboBox2.Text != "")
{
query += " AND type = '" + comboBox2.Text + "'";
}
if (comboBox3.Text != "")
{
query += " AND farve = '" + comboBox3.Text + "'";
}
SqlCommand mySqlCmd = con.CreateCommand();
mySqlCmd.CommandText = query;
con.Open();
…
答
您需要使用参数,而不仅仅是串联起来你的SQL:
using (SqlConnection con = new SqlConnection(--your-connection-string--))
using (SqlCommand cmd = new SqlCommand(con))
{
string query = "SELECT distinct ha FROM app WHERE 1+1=2";
if (comboBox1.Text != "")
{
// add an expression with a parameter
query += " AND firma = @value1 ";
// add parameter and value to the SqlCommand
cmd.Parameters.Add("@value1", SqlDbType.VarChar, 100).Value = comboBox1.Text;
}
.... and so on for all the various parameters you want to add
cmd.CommandText = query;
con.Open();
using (SqlDataReader reader = cmd.ExecuteReader())
{
while(reader.Read())
{
// do something with reader -read values
}
reader.Close();
}
con.Close();
}
答
,而不是comboBox1.Text使用参数,如@firma
command.Parameters.Add("@firma", SqlDbType.Varchar);
command.Parameters["@firma"].Value = comboBox1.Text;
query += " AND firma = @firma ";
将此所有参数
@marc_s谢谢错字 – 2014-09-13 08:24:08
OK - 现在作为下一步,我建议你总是定义一个明确的** **长:'command.Parameters.Add( “@ FIRMA”,SqlDbType.Varchar,100);' – 2014-09-13 08:26:40
由于这是有查询执行计划中的任何差异?或性能? – 2014-09-13 08:53:15