[英]how to change sql statement to parameterized query?
I have an sql query that I need change to parameters so I can avoid sql injection. 我有一个需要更改参数的sql查询,因此可以避免sql注入。
adapter.SelectCommand.CommandText = @"SELECT c.*,(Select Initials FROM users WHERE User_ID = c.CreatedByUser) AS CreatedBy, (SELECT Initials FROM users WHERE User_ID = c.ModifiedByUser) AS ModifiedBy FROM currency c WHERE c.Company_ID = " + Company_ID + " AND c.CurrencyCode = '" + Code.Replace("'", "''") + "' ORDER BY c.Description
adapter.SelectCommand.Parameters.Add(new MySqlParameter("company_ID", Company_ID));
adapter.SelectCommand.Parameters.Add(new MySqlParameter("code", Code));
I know for Company_ID I need to change it to WHERE c.Company_ID = ?company_ID
but I am not sure what to do for c.CurrencyCode = '" + Code.Replace("'", "''") + "'
我知道我需要将Company_ID更改为
WHERE c.Company_ID = ?company_ID
但是我不确定c.CurrencyCode = '" + Code.Replace("'", "''") + "'
I just don't know how to change the Code.Replace
part, since its not a simple as company_ID 我只是不知道如何更改
Code.Replace
部分,因为它不像company_ID那样简单
Try using (for odbc for example): 尝试使用(例如对于odbc):
cmd.Parameters.Add("?CURRENCY", OdbcType.VarChar, Code.Replace("'", "''"))
Odbc approach Odbc方法
OdbcCommand cmd = sql.CreateCommand();
cmd.CommandText = "SELECT UNIQUE_ID FROM userdetails WHERE USER_ID IN (?, ?)";
cmd.Parameters.Add("?ID1", OdbcType.VarChar, 250).Value = email1;
cmd.Parameters.Add("?ID2", OdbcType.VarChar, 250).Value = email2;
For oracle: 对于oracle:
//create SQL and insert parameters
OracleCommand cmd = new OracleCommand("insert into daily_cdr_logs (message) values (:_message)", con);
cmd.Parameters.Add(new OracleParameter("_message", msg));
For mysql: 对于mysql:
cmd = new MySqlCommand("SELECT * FROM admin WHERE admin_username=@val1 AND admin_password=PASSWORD(@val2)", MySqlConn.conn);
cmd.Parameters.AddWithValue("@val1", tboxUserName.Text);
cmd.Parameters.AddWithValue("@val2", tboxPassword.Text);
cmd.Prepare();
So a parameterized query (to me at least) generally means that you have created a stored procedure on your database and then use your code to execute the stored procedure while passing in the relevant parameters. 因此,参数化查询(至少对我而言)通常意味着您已经在数据库上创建了一个存储过程,然后在传递相关参数的同时使用代码执行该存储过程。
This has a couple of benefits 这有几个好处
Here is how to create a stored procedure according to MSDN 这是根据MSDN如何创建存储过程的方法
and 和
Here is how to execute aa stored procedure according to MSDN 这是根据MSDN执行存储过程的方法
If you are determined to do it via LINQ, MSDN has what you are looking for here 如果您确定要通过LINQ进行操作,那么MSDN可以为您提供所需的信息
EDIT : It seems you are concerned about sql-injection (which is good!), here is an article (again from MSDN) that covers that topic pretty extensively 编辑 :看来您担心sql-injection(这很好!), 这是一篇文章(同样是MSDN的),涵盖了该主题
I have the answer. 我有答案。
c.CurrencyCode = '" + Code.Replace("'", "''") + "'
simply changes to c.CurrencyCode = ?code
c.CurrencyCode = '" + Code.Replace("'", "''") + "'
只是更改为c.CurrencyCode = ?code
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.