如何将SQL查询重新编写为参数化查询?
我听说我可以通过使用参数化查询来防止SQL注入攻击,但我不知道如何编写它们。
我如何将以下内容编写为参数化查询?
SqlConnection con = new SqlConnection( "Data Source=" + globalvariables.hosttxt + "," + globalvariables.porttxt + "\\SQLEXPRESS;" + "Database=ha;" + "Persist Security Info=false;" + "UID='" + globalvariables.user + "';" + "PWD='" + globalvariables.psw + "'"); string query = "SELECT distinct ha FROM app WHERE 1+1=2"; if (comboBox1.Text != "") { query += " AND firma = '" + comboBox1.Text + "'"; } if (comboBox2.Text != "") { query += " AND type = '" + comboBox2.Text + "'"; } if (comboBox3.Text != "") { query += " AND farve = '" + comboBox3.Text + "'"; } SqlCommand mySqlCmd = con.CreateCommand(); mySqlCmd.CommandText = query; con.Open(); … 您需要使用参数而不是仅仅将SQL连接在一起:
using (SqlConnection con = new SqlConnection(--your-connection-string--)) using (SqlCommand cmd = new SqlCommand(con)) { string query = "SELECT distinct ha FROM app WHERE 1+1=2"; if (comboBox1.Text != "") { // add an expression with a parameter query += " AND firma = @value1 "; // add parameter and value to the SqlCommand cmd.Parameters.Add("@value1", SqlDbType.VarChar, 100).Value = comboBox1.Text; } .... and so on for all the various parameters you want to add cmd.CommandText = query; con.Open(); using (SqlDataReader reader = cmd.ExecuteReader()) { while(reader.Read()) { // do something with reader -read values } reader.Close(); } con.Close(); }
而不是comboBox1.Text使用像@firma这样的参数
command.Parameters.Add("@firma", SqlDbType.Varchar); command.Parameters["@firma"].Value = comboBox1.Text; query += " AND firma = @firma ";
将此应用于所有参数