【发布时间】:2018-10-23 12:40:31
【问题描述】:
我是 C# 新手,我编写了以下代码。阅读完文档后,我意识到我的代码可能容易受到 SQL 注入的影响,因为我没有为我的值使用参数(据我了解,您可以通过 search.Text 注入不需要的查询)。我什至应该担心它,因为我基本上将我的值锁定在 "" 引号内?
我在这里找到了一些方向,但我无法让它工作: How to use string variable in sql statement
public void InvokeDataGridAddress()
{
switch (ComboBoxSelection.Text)
{
case "NASLOV":
comboBoxValue = "SELECT * FROM [cbu_naslovi] WHERE [ADDRESS] LIKE '%" + search.Text + "%' COLLATE Latin1_general_CI_AI";
break;
case "LASTNIK":
comboBoxValue = "SELECT [cbu_naslovi].* FROM [cbu_deli], [cbu_naslovi] WHERE [cbu_deli].LASTNIK LIKE '%" + search.Text + "%' COLLATE Latin1_general_CI_AI AND [cbu_deli].IDX = [cbu_naslovi].ID";
break;
case "OBJEKT":
comboBoxValue = "SELECT * FROM [cbu_naslovi] WHERE [SO] LIKE '%" + search.Text + "%'";
break;
case "PARCELA":
comboBoxValue = "SELECT * FROM [cbu_naslovi] WHERE [P1] LIKE '%" + search.Text + "%' OR [P2] LIKE '%" + search.Text + "%' OR [P3] LIKE '%" + search.Text + "%' OR [P4] LIKE '%" + search.Text + "%' OR [P5] LIKE '%" + search.Text + "%' OR [P6] LIKE '%" + search.Text + "%' OR [P7] LIKE '%" + search.Text + "%' OR [P8] LIKE '%" + search.Text + "%' OR [P9] LIKE '%" + search.Text + "%' OR [P10] LIKE '%" + search.Text + "%' OR [P11] LIKE '%" + search.Text + "%' OR [P12] LIKE '%" + search.Text + "%' OR [P13] LIKE '%" + search.Text + "%' OR [P14] LIKE '%" + search.Text + "%' OR [P15] LIKE '%" + search.Text + "%' OR [P16] LIKE '%" + search.Text + "%' OR [P17] LIKE '%" + search.Text + "%'";
break;
}
comboBoxValue = comboBoxValue + " ORDER BY [ULICA] ASC, [OBMOCJE] ASC, LEN ([HS]) ASC, [HS] ASC, [HID] ASC";
SqlCommand cmd = new SqlCommand
{
CommandText = comboBoxValue,
Connection = con
};
Mouse.OverrideCursor = System.Windows.Input.Cursors.Wait;
SqlDataAdapter da = new SqlDataAdapter(cmd);
dtAddress.Clear();
da.Fill(dtAddress);
dg_address.ItemsSource = dtAddress.DefaultView;
Mouse.OverrideCursor = System.Windows.Input.Cursors.Arrow;
}
编辑:Olivier Belanger 和 MindSwipe 提供了可行的解决方案。我还留下了有关如何使 LIKE 使用 % 参数的参考:Use of SqlParameter in SQL LIKE clause not working
public void InvokeDataGridAddress()
{
switch (ComboBoxSelection.Text)
{
case "NASLOV":
comboBoxValue = "SELECT * FROM [cbu_naslovi] WHERE [ADDRESS] LIKE @SearchText COLLATE Latin1_general_CI_AI";
break;
case "LASTNIK":
comboBoxValue = "SELECT [cbu_naslovi].* FROM [cbu_deli], [cbu_naslovi] WHERE [cbu_deli].LASTNIK LIKE @SearchText COLLATE Latin1_general_CI_AI AND [cbu_deli].IDX = [cbu_naslovi].ID";
break;
case "OBJEKT":
comboBoxValue = "SELECT * FROM [cbu_naslovi] WHERE [SO] LIKE @SearchText";
break;
case "PARCELA":
comboBoxValue = "SELECT * FROM [cbu_naslovi] WHERE [P1] LIKE @SearchText OR [P2] LIKE @SearchText OR [P3] LIKE @SearchText OR [P4] LIKE @SearchText OR [P5] LIKE @SearchText OR [P6] LIKE @SearchText OR [P7] LIKE @SearchText OR [P8] LIKE @SearchText OR [P9] LIKE @SearchText OR [P10] LIKE @SearchText OR [P11] LIKE @SearchText OR [P12] LIKE @SearchText OR [P13] LIKE @SearchText OR [P14] LIKE @SearchText OR [P15] LIKE @SearchText OR [P16] LIKE @SearchText OR [P17] LIKE @SearchText";
break;
}
comboBoxValue = comboBoxValue + " ORDER BY [ULICA] ASC, [OBMOCJE] ASC, LEN ([HS]) ASC, [HS] ASC, [HID] ASC";
SqlCommand cmd = new SqlCommand
{
CommandText = comboBoxValue,
Connection = con
};
cmd.Parameters.AddWithValue("@SearchText", '%' + search.Text + '%');
Mouse.OverrideCursor = System.Windows.Input.Cursors.Wait;
SqlDataAdapter da = new SqlDataAdapter(cmd);
dtAddress.Clear();
da.Fill(dtAddress);
dg_address.ItemsSource = dtAddress.DefaultView;
Mouse.OverrideCursor = System.Windows.Input.Cursors.Arrow;
}
【问题讨论】:
-
请详细说明,如上所述,我是 C# 和一般编程新手。
-
@Fildor 我使用了不同的代码结构,没有 cmd。附件。我尝试在 CommandText 下添加
Parameter.Add("@Search", search.Text)并将search.Text替换为(@)Search,但无法正常工作。这对于有经验的人来说可能是合乎逻辑的,但对于新手来说却不是。 -
是的,您绝对应该担心这一点。这很容易预防,否则对任何人来说都是一个非常开放的漏洞。我不会说从不经常,但从不在 SQL 语句中使用不干净的值。使用参数(或者在许多情况下更好:Entity Framework 可以为您处理大部分 SQL 管道)
-
@Adephx 您有什么特别不清楚的地方?这个答案可以以任何方式改进,所以它会更有用吗?