blocks|key|633472|text|您需要使用参数。我们不需要，但会更好。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|633473|SqlParameter[]+myparm+=+new+SqlParameter[2];
myparm[0]+=+new+SqlParameter("@User",user);
myparm[1]+=+new+SqlParameter("@Pass",password);

string+comando+=+"SELECT+*+FROM+ANAGRAFICA+WHERE+E_MAIL=@User+AND+PASSWORD_AZIENDA=@Pass";|code-block|syntax|javascript|633474|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|I|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|J|8|@]|9|@]|A|$E|F]]|$1|G|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|H|$]]

You need to use parameters. Well dont have to but would be preferable.

<pre><code>SqlParameter[] myparm = new SqlParameter[2];
myparm[0] = new SqlParameter("@User",user);
myparm[1] = new SqlParameter("@Pass",password);

string comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL=@User AND PASSWORD_AZIENDA=@Pass";
</code></pre>

blocks|key|849920|text|可以，您可以使用Named+Parameters来避免注入|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|849921|entityMap^0|8|G|0^^$0|@$1|2|3|4|5|6|7|H|8|@$9|I|A|J|B|C]]|D|@]|E|$]]|$1|F|3|-4|5|6|7|K|8|@]|D|@]|E|$]]]|G|$]]

Yes, you can avoid injection by using <code>Named Parameters</code>

blocks|key|849954|text|您应该使用SQL参数来防止SQL注入请查看代码|type|unstyled|depth|inlineStyleRanges|entityRanges|data|849955|//
//+The+name+we+are+trying+to+match.
//
string+dogName+=+"Fido";
//
//+Use+preset+string+for+connection+and+open+it.
//
string+connectionString+=+ConsoleApplication716.Properties.Settings.Default.ConnectionString;
using+(SqlConnection+connection+=+new+SqlConnection(connectionString))
{
++++connection.Open();
++++//
++++//+Description+of+SQL+command:
++++//+1.+It+selects+all+cells+from+rows+matching+the+name.
++++//+2.+It+uses+LIKE+operator+because+Name+is+a+Text+field.
++++//+3.+@Name+must+be+added+as+a+new+SqlParameter.
++++//
++++using+(SqlCommand+command+=+new+SqlCommand("SELECT+*+FROM+Dogs1+WHERE+Name+LIKE+@Name",+connection))
++++{
++++//
++++//+Add+new+SqlParameter+to+the+command.
++++//
++++command.Parameters.Add(new+SqlParameter("Name",+dogName));
++++//
++++//+Read+in+the+SELECT+results.
++++//
++++SqlDataReader+reader+=+command.ExecuteReader();
++++while+(reader.Read())
++++{
++++++++int+weight+=+reader.GetInt32(0);
++++++++string+name+=+reader.GetString(1);
++++++++string+breed+=+reader.GetString(2);
++++++++Console.WriteLine("Weight+=+{0},+Name+=+{1},+Breed+=+{2}",+weight,++++name,+breed);
++++}
++++}
}|code-block|syntax|javascript|849956|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|I|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|J|8|@]|9|@]|A|$E|F]]|$1|G|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|H|$]]

You should use the SQL paramters to prevent SQL Injection
look at the code

<pre><code>//
// The name we are trying to match.
//
string dogName = "Fido";
//
// Use preset string for connection and open it.
//
string connectionString = ConsoleApplication716.Properties.Settings.Default.ConnectionString;
using (SqlConnection connection = new SqlConnection(connectionString))
{
 connection.Open();
 //
 // Description of SQL command:
 // 1. It selects all cells from rows matching the name.
 // 2. It uses LIKE operator because Name is a Text field.
 // 3. @Name must be added as a new SqlParameter.
 //
 using (SqlCommand command = new SqlCommand("SELECT * FROM Dogs1 WHERE Name LIKE @Name", connection))
 {
 //
 // Add new SqlParameter to the command.
 //
 command.Parameters.Add(new SqlParameter("Name", dogName));
 //
 // Read in the SELECT results.
 //
 SqlDataReader reader = command.ExecuteReader();
 while (reader.Read())
 {
 int weight = reader.GetInt32(0);
 string name = reader.GetString(1);
 string breed = reader.GetString(2);
 Console.WriteLine("Weight = {0}, Name = {1}, Breed = {2}", weight, name, breed);
 }
 }
}
</code></pre>

blocks|key|633580|text|如果您可以将这些参数转换为命名参数，我认为您将得到更好的服务。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|633581|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

If you can convert these to Named Parameters, I think you would be better served.

blocks|key|850007|text|使用参数而不是转义字符串：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|850008|var+comando+=+"SELECT+*+FROM+ANAGRAFICA+WHERE+E_MAIL=@user+AND+PASSWORD_AZIENDA=@password";|code-block|syntax|javascript|850009|然后在执行SqlCommand之前为这些参数赋值。|offset|length|style|CODE|850010|entityMap^0|0|0|5|A|0^^$0|@$1|2|3|4|5|6|7|O|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|P|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|Q|8|@$I|R|J|S|K|L]]|9|@]|A|$]]|$1|M|3|-4|5|6|7|T|8|@]|9|@]|A|$]]]|N|$]]

Use parameters instead of escaping strings:

<pre><code>var comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL=@user AND PASSWORD_AZIENDA=@password";
</code></pre>

Then assign values to those parameters before you execute the <code>SqlCommand</code>.

blocks|key|633666|text|@Jethro|type|unstyled|depth|inlineStyleRanges|entityRanges|data|633667|你也可以这样写它：|633668|SqlParameter[]+sqlParams+=+new+SqlParameter[]+{
++++new+SqlParameter("@Name",+contact.name),
++++new+SqlParameter("@Number",+contact.number),
++++new+SqlParameter("@PhotoPath",+contact.photoPath),
++++new+SqlParameter("@ID",+contact.id)
};|code-block|syntax|javascript|633669|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|K|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|L|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|M|8|@]|9|@]|A|$G|H]]|$1|I|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|J|$]]

@Jethro

You could also write it like this:

<pre><code>SqlParameter[] sqlParams = new SqlParameter[] {
 new SqlParameter("@Name", contact.name),
 new SqlParameter("@Number", contact.number),
 new SqlParameter("@PhotoPath", contact.photoPath),
 new SqlParameter("@ID", contact.id)
};
</code></pre>

blocks|key|633718|text|PT:+Siga+os+passos+a+seguir+e解决SQL注入问题|type|unstyled|depth|inlineStyleRanges|entityRanges|data|633719|EN:按照以下步骤解决SQL注入问题：|633720|ES:+Siga+los+siguientes+pasos+y+resolver+el+problema+de+la+inyección+de+SQL：|633721|OracleParameter[]+tmpParans+=+new+OracleParameter[1];

tmpParans[0]+=+new+Oracle.DataAccess.Client.OracleParameter("@User",+txtUser.Text);

string+tmpQuery+=+"SELECT+COD_USER,+PASS+FROM+TB_USERS+WHERE+COD_USER+=+@User";

OracleCommand+tmpComand+=+new+OracleCommand(tmpQuery,+yourConnection);

tmpComand.Parameters.AddRange(tmpParans);


OracleDataReader+tmpResult+=+tmpComand.ExecuteReader(CommandBehavior.SingleRow);|code-block|syntax|javascript|633722|entityMap^0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|M|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|N|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|O|8|@]|9|@]|A|$]]|$1|F|3|G|5|H|7|P|8|@]|9|@]|A|$I|J]]|$1|K|3|-4|5|6|7|Q|8|@]|9|@]|A|$]]]|L|$]]

PT: Siga os passos a seguir e resolva o problema de SQL INJECTION

EN: Follow the steps below and resolve the SQL INJECTION problem:

ES: Siga los siguientes pasos y resolver el problema de la inyección de SQL:

<pre><code>OracleParameter[] tmpParans = new OracleParameter[1];

tmpParans[0] = new Oracle.DataAccess.Client.OracleParameter("@User", txtUser.Text);

string tmpQuery = "SELECT COD_USER, PASS FROM TB_USERS WHERE COD_USER = @User";

OracleCommand tmpComand = new OracleCommand(tmpQuery, yourConnection);

tmpComand.Parameters.AddRange(tmpParans);


OracleDataReader tmpResult = tmpComand.ExecuteReader(CommandBehavior.SingleRow);
</code></pre>

I have some queries (to an acccess database) like this :

<pre><code>string comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL='" + user + "' AND PASSWORD_AZIENDA='" + password + "'";
</code></pre>

and I'd like to "escape" user and password, preventing an injection.

How can I do it with C# and .NET 3.5? I'm searching somethings like mysql_escape_string on PHP...

How to prevent a SQL Injection escaping strings

数据库

我有一些查询(对acccess数据库)如下所示：string comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL='" + user + "' AND PASSWORD_AZIENDA='" + password + "'";我想要“逃脱”用户和密码，防止注入。我如何在C#...

问如何防止SQL注入转义字符串
EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问如何防止SQL注入转义字符串EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问如何防止SQL注入转义字符串
EN