使用参数化的SqlCommand是否会使我的程序不受SQL注入的影响?
[英]Does using parameterized SqlCommand make my program immune to SQL injection?
问题描述
I'm aware that SQL injection is rather dangerous . 
我知道SQL注入是相当危险的 。 Now in my C# code I compose parameterized queries with SqlCommand class : 现在在我的C#代码中,我使用SqlCommand类编写参数化查询:
SqlCommand command = ...;
command.CommandText = "SELECT * FROM Jobs WHERE JobId = @JobId;";
command.Parameters.Add("@JobId", SqlDbType.UniqueIdentifier ).Value = actualGuid;
command.ExecuteNonQuery();
Will this automatically make my code immune to SQL injection? 这会自动使我的代码不受SQL注入的影响吗? Do I have to do something extra? 我需要做些额外的事情吗?
5 个解决方案
解决方案1
27 已采纳 2011-08-24 11:49:06
I'd say for your particular, and probably canonical, example for parametrized queries, yes it is sufficient. 我想为您的参数化查询示例提供特定的,也许是规范的示例,是的,这足够了。
However, people sometimes write code like this 但是,人们有时会这样写代码
cmd.CommandText = string.Format("SELECT * FROM {0} WHERE col = @col;", tableName);
cmd.Parameters.Add("@col", ...);
because there is simply no way to pass the tablename itself as a parameter and the desire to do exists sometimes - misguided or not. 因为根本没有办法将表名本身作为参数传递,并且有时存在执行的愿望-是否被误导了。 It seems it is then often overlooked, that tableName (unless maybe only read from a set of static/constant values that do not derive from any input) indeed allows for SQL injection. 似乎然后常常被忽略了,tableName(除非只能从不是从任何输入派生的一组静态/常量值中读取)确实允许SQL注入。
解决方案2
17 2011-08-24 11:45:22
According to the Note on this MSDN Article , "Special input characters pose a threat only with dynamic SQL and not when using parameterized SQL." 根据有关此MSDN文章的注释,“特殊输入字符仅对动态SQL构成威胁,而在使用参数化SQL时则不构成威胁。”
So I believe you are safe against SQL Injection. 因此,我相信您可以安全地进行SQL注入。 There might be some logical risks when using Identifiers like Idendity Values in your URLs but this is another story. 在URL中使用标识符(例如Idendity Values)时,可能会有逻辑上的风险,但这是另一回事了。
解决方案3
8 2011-08-24 11:46:14
SQL Injection is mostly dependent on execution of dynamic SQL. SQL注入主要取决于动态SQL的执行。 In other words, SQL statements constructed by the concatenation of SQL with user-entered values. 换句话说,SQL语句是由SQL与用户输入的值串联而成的。
To avoid SQL Injection completely, 为了完全避免SQL注入,
Protecting yourself against SQL injection attacks is not very difficult.
解决方案4
1 2011-08-24 17:04:17
使用SqlCommand是一种非常好的做法,只要您不将SQL字符串连接到任何地方(包括在调用的任何存储过程中,即避免使用动态SQL),就可以免受SQL注入攻击。
解决方案5
-3 2017-04-28 15:22:43
You are not immune to SQL injection if you use dynamic sql, even if you are passing it through parameters. 如果您使用动态sql,即使您通过参数传递它,也无法幸免于SQL注入。 Too bad SQL Server doesn't have a built in function to sanitize parameters 太糟糕的SQL Server没有内置函数来清理参数
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.