问题描述
使用 SqlParameters 是一个推荐方法prevent SQL注入你的数据库查询。我在哪里可以找到code /函数内部进行消毒,这些参数?我想在一个自定义实现矿井重新使用该功能。我试图找到它使用反射,但没有成功。
Using SqlParameters is a recommended method to prevent SQL Injection in your database queries. Where can I find the code/function that internally sanitizes these parameters? I'd like to re-use this function in a custom implementation of mine. I tried to find it using Reflector, but was unsuccessful.
推荐答案
这可以防止SQL注入,不是XSS,和没有code或功能的进行消毒的参数数据。
It protects against SQL Injection, not XSS, and there is no code or function that sanitizes the parameter data.
的保护是通过从查询串分别发送的参数值到服务器来实现,从而使值的从未的直接替换到SQL语句。
The protection is accomplished by transmitting the parameter values to the server separately from the query string, so that the values are never substituted directly into the sql statement.
因此,而不是SQL服务器上运行是这样的:
So instead of sql server running something like this:
SELECT * FROM [table] WHERE [column] = ParameterValue
这更多,如果它跑是这样的:
It's more as if it ran something like this:
DECLARE @ParamValue int
-- //@ParamValue variable is populated from the framework in a safe way
SELECT * FROM [table] WHERE [column] = @ParamValue
这是更快和更安全,可靠,会比必须评估参数数据的功能。这样的功能将需要很复杂(阅读:容易出错)来处理如定制转义字符的事情和未来的改进。
This is faster and much more secure and robust than a function that would have to evaluate the parameter data. Such a function would need to be very complex (read: error prone) to handle things like custom escape characters and future enhancements.
这整齐的方步骤整个问题:数据是,code是code,两者永远应符合
This neatly side steps the whole issue: data is data, code is code, and never the twain shall meet.
您的评论对其他的,现在被删除,回答:
Your comment to the other, now deleted, answer:
如果我通过在价值奥罗克,它连接codeS它是O''Rourke,这样它不会破坏查询。正确?
没有,这是不正确的。所述变量是从一个数据块直接创建,所以没有特殊的转义或编码是必要的。
No, that is not correct. The variable is created directly from a data block, and so no special escaping or encoding is needed.
这篇关于如何SqlCommand的消毒参数?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!