stackoom
  简体   繁体   中英

How to build a parameterized query or user escaping in this SQL statement in C#?

 原文  2011-08-25 20:38:38       c#/ sql

Question

command.CommandText = String.Format("CREATE LOGIN {0} WITH password='{1}'", loginName, password);

loginName and password are based on some user input

I realize that it's bad practice to do it int this way but how to avoid sql injections here?

5 answers

solution1
 8  2011-08-25 20:40:40

调用sp_addlogin - 它已经参数化了

solution2
 0  2011-08-25 20:50:20

Here's how to parameterize your SQL. You may also want to check out this article on writing a DAO that handles this type of thing. I'm not sure if you can parameterize the LoginName. You're probably best off calling sp_addlogin like the previous poster said. 

       command.CommandText=  @"CREATE LOGIN @LoginName WITH password=@Password";
        command.CommandType = CommandType.Text;
        command.Parameters.Add(new SqlParameter()
            {
                ParameterName = "@LoginName",
                Value = "MyLoginNameValue",
                SqlDbType = SqlDbType.NVarChar,
                Size = 50
            });
        command.Parameters.Add(new SqlParameter()
            {
                ParameterName = "@Password",
                Value = "MyPasswordValue",
                SqlDbType = SqlDbType.NVarChar,
                Size = 50
            });

solution3
 0  2011-08-26 23:04:23

It seems like the most right way to do it is to use SQL Server SMO SDK. I don't care of any other SQL engines since we'll never move from SQL Server for sure.

solution4
 0  2012-01-03 10:40:16

You can parameterize such queries by wrapping your DDL query in an exec as follows:

command.CommandText = "exec ('CREATE DATABASE ' + @DB)"

If you then add the parameter for @DB as usual this should work (in t-sql at least).

It should be possible to use CREATE LOGIN in the same fashion.

solution5
 -1  2011-08-25 20:54:36

Can try something like this: 

SqlCommand cmd = new SqlCommand(
                "CREATE LOGIN @login WITH password=@pwd", conn);
SqlParameter param  = new SqlParameter();
param.ParameterName = "@login ";
param.Value         = usertextforlogin; 
cmd.Parameters.Add(param);

param  = new SqlParameter();
param.ParameterName = "@pwd";
param.Value         = usertextforpwd;   

cmd.Parameters.Add(param);

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to create a Dynamic Parameterized SQL Query String in C# sql parameterized query in C# with string webmatrix 3 C# SQL Error The parameterized query how to change sql statement to parameterized query? How to make a parameterized SELECT query in C#? c# mysql insert statement. Parameterized query example? What is the correct way to form a parameterized SQL statement in C# parameterized sql query - asp.net / c# Parameterized query which sends NULL value, with C# and SQL Server Query parameterized cannot insert value with c# and SQL Server
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM