在Where查询中防止SQL注入-SQL Server 2008和C#
对于插入,我已使用参数化查询:在Where查询中防止SQL注入-SQL Server 2008和C#,sql,c#-4.0,sql-injection,parameterized,Sql,C# 4.0,Sql Injection,Parameterized,对于插入,我已使用参数化查询: cmd.Parameters.Add("@ParamName",SqlDbType.VarChar).Value = objCampaignType.Name; 我使用SQL查询从搜索文本中搜索数据 SELECT p.Name, c.Name FROM Person AS p INNER JOIN Country AS c ON p.Country = c.ID WHERE p.Name LIKE '%searchText%' AND c.Name = US
cmd.Parameters.Add("@ParamName",SqlDbType.VarChar).Value = objCampaignType.Name;
SELECT p.Name, c.Name
FROM Person AS p
INNER JOIN Country AS c ON p.Country = c.ID
WHERE p.Name LIKE '%searchText%' AND c.Name = USA
提前感谢…您将需要使用系统存储过程sp_executesql,并向该过程传递类似以下内容的参数
DECLARE @Sql NVARCHAR(MAX);
DECLARE @Search NVARCHAR(100) = 'Searchme';
SET @Sql = N' SELECT p.Name, c.Name ' +
N' FROM Person AS p INNER JOIN Country AS c ON p.Country = c.ID ' +
N' WHERE p.Name LIKE ''%@Search%'' AND c.Name = USA'
EXECUTE sp_executesql @Sql
,N'@Search NVARCHAR(100)'
,@Search
这会阻止sql注入吗?这容易吗?:)@jayarathna-它将防止此查询的注入攻击;我不知道你剩下的代码是什么样子:)所有的查询都必须是参数化的。我从这个链接中找到了确切的答案
using (var conn = new SqlConnection(connectionString)) {
var query = @"
SELECT p.Name, c.Name
FROM Person AS p INNER JOIN
Country AS c ON p.Country = c.ID
WHERE p.Name LIKE '%' + @SearchText + '%' AND c.Name = @CountryName";
var cmd = new SqlCommand(query, conn);
cmd.Parameters.Add("SearchText", System.Data.SqlDbType.VarChar, 50).Value = "search text";
cmd.Parameters.Add("CountryName", System.Data.SqlDbType.VarChar, 50).Value = "USA";
conn.Open();
using (var reader = cmd.ExecuteReader()) {
while (reader.Read()) {
// enjoy dataset
}
}
}