参数化查询如何帮助防止 SQL 注入?

How do parameterized queries help against SQL injection?(参数化查询如何帮助防止 SQL 注入?)

问题描述

在查询 1 和 2 中，文本框中的文本都插入到数据库中.这里参数化查询有什么意义?

In both queries 1 and 2, the text from the textbox is inserted into the database. What's the significance of the parameterized query here?

1. 将 txtTagNumber 作为查询参数传递

SqlCommand cmd = new SqlCommand("INSERT INTO dbo.Cars " +"VALUES(@TagNbr);" , conn);
cmd.Parameters.Add("@TagNbr", SqlDbType.Int);
cmd.Parameters["@TagNbr"].Value = txtTagNumber.Text;

int tagnumber = txtTagNumber.Text.ToInt16(); /* EDITED */
INSERT into Cars values(tagnumber.Text); /* then is it the same? */

另外，在这里我会使用正则表达式验证来阻止非法字符的插入.

Also, here I would use Regular Expression validation to stop insertion of illegal characters.

推荐答案

参数化查询在运行 SQL 查询之前会正确替换参数.它完全消除了脏"输入改变查询含义的可能性.也就是说，如果输入包含 SQL，它就不能成为执行内容的一部分，因为 SQL 从未注入到结果语句中.

Parameterized queries do proper substitution of arguments prior to running the SQL query. It completely removes the possibility of "dirty" input changing the meaning of your query. That is, if the input contains SQL, it can't become part of what is executed becase the SQL is never injected into the resulting statement.

这篇关于参数化查询如何帮助防止 SQL 注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持编程学习网！