问题:
I've heard that "everyone" is using parameterized SQL queries to protect against SQL injection attacks without having to vailidate every piece of user input.我听说“每个人”都在使用参数化 SQL 查询来防止 SQL 注入攻击,而不必验证每个用户输入。
How do you do this?你怎么做到这一点? Do you get this automatically when using stored procedures?使用存储过程时是否会自动获得此信息?
So my understanding this is non-parameterized:所以我的理解这是非参数化的:
cmdText = String.Format("SELECT foo FROM bar WHERE baz = '{0}'", fuz)
Would this be parameterized?这会被参数化吗?
cmdText = String.Format("EXEC foo_from_baz '{0}'", fuz)
Or do I need to do somethng more extensive like this in order to protect myself from SQL injection?或者我是否需要做一些更广泛的事情来保护自己免受 SQL 注入?
With command
.Parameters.Count = 1
.Parameters.Item(0).ParameterName = "@baz"
.Parameters.Item(0).Value = fuz
End With
Are there other advantages to using parameterized queries besides the security considerations?除了安全考虑之外,使用参数化查询还有其他优势吗?
Update: This great article was linked in one of the questions references by Grotok.更新:这篇很棒的文章链接在 Grotok 的一个问题参考文献中。 http://www.sommarskog.se/dynamic_sql.html http://www.sommarskog.se/dynamic_sql.html