HttpUtility.UrlEncode防止SQL注入
[英]HttpUtility.UrlEncode to prevent SQL inject
问题描述
was using HttpUtility.UrlEncode() to prevent SQL injection on where clauses. 
使用HttpUtility.UrlEncode()来防止SQL注入where子句。 However some of the text being input has spaces and replacing them with %20 will stop the query. 但是,正在输入的某些文本带有空格,将其替换为%20将停止查询。 Is there a better alternative? 有更好的选择吗?
2 个解决方案
解决方案1
1 2016-08-31 15:01:30
Use parameters in your database queries rather than concatenating input. 在数据库查询中使用参数,而不是连接输入。 Job done. 任务完成。 If that sounds like a lot of work - consider tools like dapper that make it easy: 如果这听起来需要大量工作,请考虑使用dapper之类的工具来简化工作:
string name = ...
int regionId = ...
var customers = connection.Query<Customer>(
"select * from Customers where Name = @name and RegionId = @regionId",
new { name, regionId }).AsList();
解决方案2
1 2016-08-31 15:03:26
To prevent SQL Injection it is preferred to use SQL Parameters. 为了防止SQL注入,最好使用SQL参数。 When working with parameters SQL ensures that the parameters in the query are never executed. 使用参数SQL时,请确保永远不要执行查询中的参数。
Never construct queries by concatenating strings. 切勿通过串联字符串构造查询。 Especially when it is input that is untrusted (Received from a user)! 特别是当输入的内容不受信任时(从用户那里收到)!
In your case using c# you can take a look here: http://csharp-station.com/Tutorial/AdoDotNet/Lesson06 对于使用c#的情况,您可以在这里查看: http : //csharp-station.com/Tutorial/AdoDotNet/Lesson06
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.