![](/img/trans.png)
[英]How to escape string in System.Data.SQLite without prepared statements
[英]How to escape a string in system.data.sqlite?
我正在執行一個SQL查詢(system.data.SQLite),如下所示:
var color = "red";
var command = new SQLiteCommand("SELECT something FROM tabletop WHERE color = '" + color + "'", Connection);
var reader = command.ExecuteReader();
顏色變量是用戶提供的文本。 如何轉義此文本以防止SQL注入? 還是這種不好的做法,我應該以完全不同的“受保護”方式執行查詢嗎?
您應該使用參數化查詢:
var command = new SQLiteCommand("SELECT something FROM tabletop WHERE color = @Color", Connection);
command.Parameters.AddWithValue("Color", color);
您還可以將SQLiteParameter
的數組傳遞給command.Parameters
集合,如下所示:
SQLiteParameter[] parameters = { new SQLiteParameter("Color", color), new SQLiteParameter("Size", size) }; // etc.
command.Parameters.AddRange(parameters);
你用准備好的陳述來做:
SQLiteCommand sql = SQLiteDB.CreateCommand();
sql.CommandText = @"INSERT INTO aziende VALUES (@id_azienda, @nome)";
SQLiteParameter lookupValue = new SQLiteParameter("@id_azienda");
SQLiteParameter lookupValue2 = new SQLiteParameter("@nome");
sql.Parameters.Add(lookupValue);
sql.Parameters.Add(lookupValue2);
lookupValue.Value = "Your unsafe user input goes here";
lookupValue2.Value = "Your second unsafe user input goes here";
sql.ExecuteNonQuery();
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.