I been reading a bit about SQL injection and I want to be sure my code is lets say "safe" from it, I was planning on using RegExp validators to check the user input but another post in here suggested only using parametrized querys, well I'm using them but I want to be sure my code is safe, is it?
我一直在阅读有关SQL注入的内容,我想确保我的代码可以让它说“安全”,我打算使用RegExp验证器来检查用户输入,但是这里的另一个帖子建议只使用参数化查询,我我正在使用它们,但我想确保我的代码是安全的,是吗?
using ( SqlConnection dataConnection = new SqlConnection(myConnectionString) )
{
using ( SqlCommand dataCommand = dataConnection.CreateCommand() )
{
dataCommand.CommandText = "INSERT INTO Lines (Name, CreationTime) " +
"VALUES (@LineName, @CurrentDateTime)";
dataCommand.Parameters.AddWithValue("@LineName", TextBox2.Text);
dataCommand.Parameters.AddWithValue("@CurrentDateTime", DateTime.Now.ToString());
dataConnection.Open();
//do other DB stuff
I chop the last part to make the post shorter, the rest is just trying and catching exceptions and closing db connection as well as providing user feedback on inserting successful.
我打破了最后一部分以使帖子更短,其余部分只是尝试捕获异常并关闭数据库连接以及提供用户插入成功的反馈。
3 个解决方案
#1
11
Your code is fine, it is protected from injection because the values are passed as parameters not string literals. However, if you are writing this type of data access yourself, have you considered creating SqlParameter objects and explicitly setting the type, size etc, and adding the parameters to the command? AddWithValue will work just fine, but SQL Server will have to determine the type, a little, but unnecessary overhead.
您的代码很好,它可以防止注入,因为值是作为参数而不是字符串文字传递的。但是,如果您自己编写此类数据访问,是否考虑过创建SqlParameter对象并显式设置类型,大小等,并将参数添加到命令中? AddWithValue可以正常工作,但SQL Server必须确定类型,一点点,但不必要的开销。
#2
1
Well, you could always try to inject a SQL statement into the textbox, that will probably give you a quicker, definite answer.
好吧,你总是可以尝试在文本框中注入一个SQL语句,这可能会给你一个更快,更明确的答案。
#3
1
Yes, that's reasonably safe. So long as you don't use "sanitized" variables from a prepared statement to generate dynamic sql later, you're usually ok. The fact that you're using a prepared statement will take care of dealing with escape characters and other simple methods of injection.
是的,这是相当安全的。只要你不使用预准备语句中的“已清理”变量来生成动态sql,你通常都可以。您正在使用预准备语句的事实将处理转义字符和其他简单的注入方法。
I wouldn't forgo any other validation though...
我不会放弃任何其他验证...
#1
11
Your code is fine, it is protected from injection because the values are passed as parameters not string literals. However, if you are writing this type of data access yourself, have you considered creating SqlParameter objects and explicitly setting the type, size etc, and adding the parameters to the command? AddWithValue will work just fine, but SQL Server will have to determine the type, a little, but unnecessary overhead.
您的代码很好,它可以防止注入,因为值是作为参数而不是字符串文字传递的。但是,如果您自己编写此类数据访问,是否考虑过创建SqlParameter对象并显式设置类型,大小等,并将参数添加到命令中? AddWithValue可以正常工作,但SQL Server必须确定类型,一点点,但不必要的开销。
#2
1
Well, you could always try to inject a SQL statement into the textbox, that will probably give you a quicker, definite answer.
好吧,你总是可以尝试在文本框中注入一个SQL语句,这可能会给你一个更快,更明确的答案。
#3
1
Yes, that's reasonably safe. So long as you don't use "sanitized" variables from a prepared statement to generate dynamic sql later, you're usually ok. The fact that you're using a prepared statement will take care of dealing with escape characters and other simple methods of injection.
是的,这是相当安全的。只要你不使用预准备语句中的“已清理”变量来生成动态sql,你通常都可以。您正在使用预准备语句的事实将处理转义字符和其他简单的注入方法。
I wouldn't forgo any other validation though...
我不会放弃任何其他验证...