问题描述
使用 OrientDB-NET.binary针对OrientDb进行编程时,如何防止sql注入?>?有没有一种方法可以转义Orient-SQL的特殊字符并使用字符串文字?
How can I prevent sql injection when programming against OrientDb using the OrientDB-NET.binary? Is there a way to escape special characters for Orient-SQL and work with string literals?
示例:我想存储以下文字: me'或1 = 1),'//
,然后能够像
Example: I want to store this literal: me' or 1 = 1 ),'//
and then be able to query it like
select from MyVertex where text = '...'
我也很难在OrientDb Studio中做到这一点.
I'm having trouble doing this in OrientDb studio too.
我发现了与此相关的帖子Java驱动程序,所以我想知道.NET是否有类似的东西.
I have found this post which is related to the Java driver, so I was wondering if there is something similar for .NET.
推荐答案
您需要使用参数化查询.
这些查询将数据与语法分开,这是SQL注入背后的根本问题.
You need to use parameterized queries.
These are queries that separate data from syntax, which is the root problem behind SQL injection.
在C#中,使用OrientDB-NET二进制文件,您想要执行以下操作(改编自 OrientDB-NET Wiki :
In C#, using the OrientDB-NET binary, you want to do something like this (adapted from the OrientDB-NET wiki:
using (ODatabase database = new ODatabase("yourDatabase"))
{
PreparedQuery query = new PreparedQuery("SELECT FROM MyVertex WHERE text = ?");
var selectedValue = database
.Query(query)
.Run([***Your Input Here***])
.SingleOrDefault();
var text = selectedValue.GetField<string>("text");
}
您可以查看针对PreparedQuery的OrientDB-NET单元测试,以查看有关如何执行此操作的更多示例.
You can check out the OrientDB-NET unit tests for PreparedQuery to see more examples of how you might do this.
这篇关于OrientDb SQL注入和转义字符的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!