堆栈内存溢出
  简体   繁体   English

如何将sql语句更改为参数化查询?

[英]how to change sql statement to parameterized query?

 原文  2015-05-28 13:28:42       c#/ mysql/ sql/ visual-studio-2010

问题描述

I have an sql query that I need change to parameters so I can avoid sql injection. 我有一个需要更改参数的sql查询,因此可以避免sql注入。 

adapter.SelectCommand.CommandText = @"SELECT c.*,(Select Initials FROM users WHERE User_ID = c.CreatedByUser) AS CreatedBy, (SELECT Initials FROM users WHERE User_ID = c.ModifiedByUser) AS ModifiedBy FROM currency c WHERE c.Company_ID = " + Company_ID + " AND c.CurrencyCode = '" + Code.Replace("'", "''") + "' ORDER BY c.Description
adapter.SelectCommand.Parameters.Add(new MySqlParameter("company_ID", Company_ID));
adapter.SelectCommand.Parameters.Add(new MySqlParameter("code", Code));

I know for Company_ID I need to change it to WHERE c.Company_ID = ?company_ID but I am not sure what to do for c.CurrencyCode = '" + Code.Replace("'", "''") + "' 我知道我需要将Company_ID更改为WHERE c.Company_ID = ?company_ID但是我不确定c.CurrencyCode = '" + Code.Replace("'", "''") + "'

I just don't know how to change the Code.Replace part, since its not a simple as company_ID 我只是不知道如何更改Code.Replace部分,因为它不像company_ID那样简单

3 个解决方案

解决方案1
 2  2015-05-28 13:31:28

As per here 按照这里

Try using (for odbc for example): 尝试使用(例如对于odbc): 

cmd.Parameters.Add("?CURRENCY", OdbcType.VarChar, Code.Replace("'", "''"))

Odbc approach Odbc方法 

OdbcCommand cmd = sql.CreateCommand();
cmd.CommandText = "SELECT UNIQUE_ID FROM userdetails WHERE USER_ID IN (?, ?)";
cmd.Parameters.Add("?ID1", OdbcType.VarChar, 250).Value = email1;
cmd.Parameters.Add("?ID2", OdbcType.VarChar, 250).Value = email2;

For oracle: 对于oracle: 

//create SQL and insert parameters
OracleCommand cmd = new OracleCommand("insert into daily_cdr_logs (message) values (:_message)", con);
cmd.Parameters.Add(new OracleParameter("_message", msg));

For mysql: 对于mysql: 

cmd = new MySqlCommand("SELECT * FROM admin WHERE admin_username=@val1 AND admin_password=PASSWORD(@val2)", MySqlConn.conn);
cmd.Parameters.AddWithValue("@val1", tboxUserName.Text);
cmd.Parameters.AddWithValue("@val2", tboxPassword.Text);
cmd.Prepare();

解决方案2
 1  2015-05-28 13:35:24

So a parameterized query (to me at least) generally means that you have created a stored procedure on your database and then use your code to execute the stored procedure while passing in the relevant parameters. 因此,参数化查询(至少对我而言)通常意味着您已经在数据库上创建了一个存储过程,然后在传递相关参数的同时使用代码执行该存储过程。

This has a couple of benefits 这有几个好处

  1. DRY - you don't have to repeat the query in code, you can just call the execute method and pass in the appropriate parameters DRY-您不必在代码中重复查询,只需调用execute方法并传入适当的参数
  2. Helps prevent SQL injection - You can only modify the parameters which hopefully will be sanitized before being passed to the query 帮助防止SQL注入-您只能修改希望传递给查询的参数,然后将其清除

Here is how to create a stored procedure according to MSDN 是根据MSDN如何创建存储过程的方法

and

Here is how to execute aa stored procedure according to MSDN 是根据MSDN执行存储过程的方法

If you are determined to do it via LINQ, MSDN has what you are looking for here 如果您确定要通过LINQ进行操作,那么MSDN可以为您提供所需的信息

EDIT : It seems you are concerned about sql-injection (which is good!), here is an article (again from MSDN) that covers that topic pretty extensively 编辑 :看来您担心sql-injection(这很好!), 是一篇文章(同样是MSDN的),涵盖了该主题

解决方案3
 0 已采纳  2015-05-28 13:54:35

I have the answer. 我有答案。 c.CurrencyCode = '" + Code.Replace("'", "''") + "' simply changes to c.CurrencyCode = ?code c.CurrencyCode = '" + Code.Replace("'", "''") + "'只是更改为c.CurrencyCode = ?code

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在C#中的SQL语句中构建参数化查询或用户转义? - How to build a parameterized query or user escaping in this SQL statement in C#? 从参数化的SQL查询中获取SQL语句 - Get SQL statement from a parameterized sql query 如何调试参数化的SQL查询 - How to debug parameterized SQL query 参数化的sql查询问题 - parameterized sql query issue 参数化动态SQL查询 - Parameterized dynamic sql query 如何将SQL查询重新编写为参数化查询? - How do I re-write a SQL query as a parameterized query? sql异常,缺少参数化查询 - sql exception, missing parameterized query SQL参数化查询未显示结果 - SQL parameterized query not showing result 如何执行参数化 SQL 查询(使用带有 @ 变量的 LIKE) - How to execute parameterized SQL query (using LIKE with @ variable) 如何在用于 SQL 插入的方法中进行参数化查询? - How to make a parameterized query in a method that made for SQL insertions?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM