堆栈内存溢出
  简体   繁体   English

使用SqlParameter实现C#ASP.NET和SQL Server 2008 R2的安全性

[英]Using SqlParameter for security with C# ASP.NET and SQL Server 2008 R2

 原文  2012-04-21 14:06:58       c#/ asp.net/ sql

问题描述

I'm converting the following C# markup to use SqlParameter (I'm new to SqlParameter) in order to enhance security: 我正在转换以下C#标记以使用SqlParameter(我是SqlParameter的新手)以增强安全性: 

public static void EmptyTable(string TableToEmpty)
{
    try
    {
        using (SqlConnection conn = new SqlConnection(DatabaseConnectionString))
        {
            using (SqlCommand cmd = new SqlCommand("TRUNCATE TABLE @prmTableToEmpty", conn))
            //using (SqlCommand cmd = new SqlCommand("TRUNCATE TABLE " + TableToEmpty, conn))
            {
                cmd.Parameters.Add(new SqlParameter("@prmTableToEmpty", TableToEmpty));
                cmd.Connection.Open();
                cmd.ExecuteNonQuery();
            }
        }
    }
    catch
    {
        throw;
    }
}

without the parameter use it works smoothly. 没有参数使用它工作顺利。 However, with this syntax I get this exception: 但是,使用此语法,我得到以下异常: 

    [SqlException (0x80131904): Incorrect syntax near '@prmTableToEmpty'.]
   System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) +2073550
   System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +5064508
   System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning() +234
   System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) +2275
   System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) +215
   System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) +987
   System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) +162
   System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe) +178
   System.Data.SqlClient.SqlCommand.ExecuteNonQuery() +137
   pjsql.EmptyTable(String TableToEmpty) in c:\website\App_Code\mySqlClass.cs:67
   _Default.btnEmptyTheTable_Click(Object sender, EventArgs e) in c:\website\Default.aspx.cs:83
   System.Web.UI.WebControls.Button.OnClick(EventArgs e) +118
   System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +112
   System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
   System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13
   System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +36
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +5563

both line numbers mentioned contains the throw; 提到的两个行号都包含了throw; command. 命令。

I went through this: http://msdn.microsoft.com/en-us/library/4f844fc7(v=vs.71).aspx 我经历了这个: http//msdn.microsoft.com/en-us/library/4f844fc7(v = vs.71).aspx

and tried this alternative syntax: http://www.csharp-station.com/Tutorials/AdoDotNet/Lesson06.aspx 并尝试了这种替代语法: http//www.csharp-station.com/Tutorials/AdoDotNet/Lesson06.aspx

but with no luck. 但没有运气。

What am I missing? 我错过了什么?

1 个解决方案

解决方案1
 3 已采纳  2012-04-21 14:10:01

Parameters may not be used in place of object names. 不能使用参数代替对象名称。

To enhance secutiry when dynamically substituting object names, use quotename (first execute a command select quotename(@prmTableToEmpty) using a parameter, then use the result of this command to build your truncate comand and execute it without parameters). 要在动态替换对象名称时增强安全性,请使用quotename (首先使用参数执行命令select quotename(@prmTableToEmpty) ,然后使用此命令的结果构建truncate命令并在不使用参数的情况下执行它)。 

using (SqlConnection conn = new SqlConnection(DatabaseConnectionString))
{
    conn.Open();

    string sanitized_name;

    using (SqlCommand cmd = new SqlCommand("select quotename(@prmTableToEmpty)", conn))
    {
        cmd.Parameters.Add(new SqlParameter("@prmTableToEmpty", TableToEmpty));
        sanitized_name = (string)cmd.ExecuteScalar();
    }

    using (SqlCommand cmd = new SqlCommand("TRUNCATE TABLE " + sanitized_name, conn))
    {
        cmd.ExecuteNonQuery();
    }
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 部署使用Asp.Net,C#和Sql Server 2008 R2构建的Web应用程序 - Deploying an Web Application built using Asp.Net,C# and Sql Server 2008 R2 使用SQL Server 2008 R2在ASP.NET C#中创建Crystal Report - Creating Crystal Report in asp.net c# with SQL Server 2008 R2 C#ASP.NET无法将联系页面上传到SQL Server 2008 R2 - C# ASP.NET trouble uploading contact page to SQL Server 2008 R2 具有SQL 2008 R2开发人员和SQL Express 2008 R2的ASP.Net C#ASPNETDB.mdb - ASP.Net C# ASPNETDB.mdb with SQL 2008 R2 Developers and SQL Express 2008 R2 使用C#安装SQL Server 2008 R2 Express - Install SQL Server 2008 R2 Express using C# asp.net中Windows Server 2008 R2上的PDF缩略图 - PDF Thumbnails on windows server 2008 R2 in asp.net 存储过程不返回任何数据asp.net sql server 2008 r2 - store procedure don't return any data asp.net sql server 2008 r2 30秒后在ASP.NET上超时,在SQL Server 2008 R2上没有超时 - Timeout on ASP.NET after 30 seconds, on SQL server 2008 R2 no timeout 使用C#将SQL Server 2008中的多个SQL查询合并到ASP.NET上的数据表中 - Combine multiple SQL queries in SQL Server 2008 into a datatable on ASP.NET using C# 具有现有SQL Server 2008 R2数据库的C#应用 - C# App with Existing SQL Server 2008 R2 Database
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM