問題:
I've heard that "everyone" is using parameterized SQL queries to protect against SQL injection attacks without having to vailidate every piece of user input.我聽說“每個人”都在使用參數化 SQL 查詢來防止 SQL 注入攻擊,而不必驗證每個用戶輸入。
How do you do this?你怎麼做到這一點? Do you get this automatically when using stored procedures?使用存儲過程時是否會自動獲得此信息?
So my understanding this is non-parameterized:所以我的理解這是非參數化的:
cmdText = String.Format("SELECT foo FROM bar WHERE baz = '{0}'", fuz)
Would this be parameterized?這會被參數化嗎?
cmdText = String.Format("EXEC foo_from_baz '{0}'", fuz)
Or do I need to do somethng more extensive like this in order to protect myself from SQL injection?或者我是否需要做一些更廣泛的事情來保護自己免受 SQL 注入?
With command
.Parameters.Count = 1
.Parameters.Item(0).ParameterName = "@baz"
.Parameters.Item(0).Value = fuz
End With
Are there other advantages to using parameterized queries besides the security considerations?除了安全考慮之外,使用參數化查詢還有其他優勢嗎?
Update: This great article was linked in one of the questions references by Grotok.更新:這篇很棒的文章鏈接在 Grotok 的一個問題參考文獻中。 http://www.sommarskog.se/dynamic_sql.html http://www.sommarskog.se/dynamic_sql.html