问题描述
在我的项目中,我正在使用像这样的SQL查询
但是您已经告诉我这些查询根本不安全,那么什么是安全的SQL查询.
如何赋予用户输入州名的权利
请给我发送任何有关用户查询安全查询的示例,以供用户
插入数据
试试
{
字符串str2 =从状态中选择代码,其中code ="" + this.txtstatecode.Text +''";
SqlCommand cmd1 =新的SqlCommand();
cmd1.CommandText = str2;
cmd1.Connection = conn;
//cmd.ExecuteNonQuery();
SqlDataReader rd = cmd1.ExecuteReader();
//stem.Windows.MessageBox.Show(rd.Read().ToString());
如果(rd.Read())
{
System.Windows.MessageBox.Show(记录已存在");
}
其他
{
字符串str =插入State(Code,Name)值(""+ this.txtstatecode.Text +"'',''"+ this.txtstatename.Text +"'');
//if rdr.GetString()
cmd1.CommandText = str;
cmd1.Connection = conn;
cmd1.ExecuteNonQuery();
//System.Windows.MessageBox.Show(数据已成功插入");
//cmd.Connection = conn;
DataTable dt = new DataTable();
字符串str1 =从国家/地区选择代码,名称";//其中code =''"+ this.txtstatecode.Text +"'';
cmd1.Connection = conn;
cmd1.CommandType = CommandType.Text;
cmd1.CommandText = str1;
SqlDataAdapter adp =新的SqlDataAdapter(cmd1);
SqlCommandBuilder cb =新的SqlCommandBuilder(adp);
/*粘贴在这里*/
adp.Fill(dt);
bs.DataSource = dt;
saidg5.ItemsSource = bs;
adp.Update(dt);
this.statedg5.Items.Refresh();
//rd.Close();
}
}
catch(e1异常)
{
System.Windows.MessageBox.Show(e1.Message);
}
Hi,
In my project I am using SQL queries like this
But you already informed me that these queries not secure at all, then what is the secure sql query.
How can give the right to user to enter the statename
Pls send me any example for secure queries for inserting data by the user
try
{
String str2 = "select code from state where code=''" + this.txtstatecode.Text + "''";
SqlCommand cmd1 = new SqlCommand();
cmd1.CommandText = str2;
cmd1.Connection = conn;
//cmd.ExecuteNonQuery();
SqlDataReader rd = cmd1.ExecuteReader();
//stem.Windows.MessageBox.Show(rd.Read().ToString ());
if (rd.Read())
{
System.Windows.MessageBox.Show("Record already existing");
}
else
{
String str = "insert into State(Code,Name)values (''" + this.txtstatecode.Text + "'',''" + this.txtstatename.Text + "'')";
//if rdr.GetString ()
cmd1.CommandText = str;
cmd1.Connection = conn;
cmd1.ExecuteNonQuery();
//System.Windows.MessageBox.Show("Data Inserted Successfully");
//cmd.Connection = conn;
DataTable dt = new DataTable();
String str1 = "select code,name from State";// where code=''" + this.txtstatecode.Text + "''";
cmd1.Connection = conn;
cmd1.CommandType = CommandType.Text;
cmd1.CommandText = str1;
SqlDataAdapter adp = new SqlDataAdapter(cmd1);
SqlCommandBuilder cb = new SqlCommandBuilder(adp);
/* paste here */
adp.Fill(dt);
bs.DataSource = dt;
statedg5.ItemsSource = bs;
adp.Update(dt);
this.statedg5.Items.Refresh();
// rd.Close();
}
}
catch (Exception e1)
{
System.Windows.MessageBox.Show(e1.Message);
}
推荐答案
String str2 = "select code from state where code='" + this.txtstatecode.Text + "'";
您可以接受SQL注入攻击.而是将参数传递给命令,如下所示:
You open yourself up to SQL injection attacks. Instead, pass parameters to the command like this:
String str2 = "select code from state where code=@StateCode";
SqlCommand cmd1 = new SqlCommand();
cmd1.Parameters.Add(new SqlParameter("StateCode", this.txtstatecode.Text));
转义等将由.Net Framework处理.这样,您就不会对SQL注入攻击开放.
Escaping and such will be handled by the .Net Framework. That way, you will not open yourself up to SQL injection attacks.
这篇关于安全SQL查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!