这个SQL查询，注入安全吗

I think the initial code is fine:

我认为最初的代码很好:

SqlCommand param = new SqlCommand();
SqlGeometry point = SqlGeometry.Point(center_lat,center_lng,0);
SqlGeometry poly = SqlGeometry.STPolyFromText(new SqlChars(new SqlString(polygon)),0);
param.CommandText = "INSERT INTO Circle (Center_Point, Circle_Data) VALUES (@point,@poly);";
param.Parameters.Add(new SqlParameter("@point", SqlDbType.Udt));
param.Parameters.Add(new SqlParameter("@poly", SqlDbType.Udt));
param.Parameters["@point"].UdtTypeName = "geometry";
param.Parameters["@poly"].UdtTypeName = "geometry";
param.Parameters["@point"].Value = point;
param.Parameters["@poly"].Value = poly;

However I realised there could be a problem when the polygon string is created.

然而，我意识到在创建多边形字符串时可能会有问题。

in javascript - I create it like so:

在javascript中——我是这样创建的:

var Circle_Data = "POLYGON ((";
for (var x = 0; x < pointsToSql.length; x++) { // formatting = 0 0, 150 0, 150 50 etc
    if (x == 360) { Circle_Data += pointsToSql[x].lat.toString() + " " + pointsToSql[x].lng.toString() + "))"; }
    else { Circle_Data += pointsToSql[x].lat.toString() + " " + pointsToSql[x].lng.toString() + ","; }
}

It is then passed to C#. So is this safe? even though the parametrization has happened in the query?

然后传递给c#。所以这是安全的吗?即使在查询中发生了参数化?

1 个解决方案

#1

With the parameter you will be saved from SQL Injection, If some SQL is injected in the POLYGON string, it will error out at SQL Server end.

使用将从SQL注入中保存的参数，如果在多边形字符串中注入了一些SQL，那么在SQL Server端就会出错。

So for example if you have :

例如，如果你有

POLYGON(12.33 12.55,13.55; DROP TABLE students;)

SQL server will try to construct a geometry type based on the passed string, and it will fail doing so.

SQL server将尝试基于所传递的字符串构造一个几何类型，它将失败。

#1