• <bdo id='dWxM2'></bdo><ul id='dWxM2'></ul>

  1. <small id='dWxM2'></small><noframes id='dWxM2'>

  2. <i id='dWxM2'><tr id='dWxM2'><dt id='dWxM2'><q id='dWxM2'><span id='dWxM2'><b id='dWxM2'><form id='dWxM2'><ins id='dWxM2'></ins><ul id='dWxM2'></ul><sub id='dWxM2'></sub></form><legend id='dWxM2'></legend><bdo id='dWxM2'><pre id='dWxM2'><center id='dWxM2'></center></pre></bdo></b><th id='dWxM2'></th></span></q></dt></tr></i><div id='dWxM2'><tfoot id='dWxM2'></tfoot><dl id='dWxM2'><fieldset id='dWxM2'></fieldset></dl></div>
  3. <legend id='dWxM2'><style id='dWxM2'><dir id='dWxM2'><q id='dWxM2'></q></dir></style></legend>
  4. <tfoot id='dWxM2'></tfoot>

    1. 为什么我们总是喜欢在 SQL 语句中使用参数?

      时间:2023-07-18

        • <i id='Pdsih'><tr id='Pdsih'><dt id='Pdsih'><q id='Pdsih'><span id='Pdsih'><b id='Pdsih'><form id='Pdsih'><ins id='Pdsih'></ins><ul id='Pdsih'></ul><sub id='Pdsih'></sub></form><legend id='Pdsih'></legend><bdo id='Pdsih'><pre id='Pdsih'><center id='Pdsih'></center></pre></bdo></b><th id='Pdsih'></th></span></q></dt></tr></i><div id='Pdsih'><tfoot id='Pdsih'></tfoot><dl id='Pdsih'><fieldset id='Pdsih'></fieldset></dl></div>

            <tfoot id='Pdsih'></tfoot>
              <bdo id='Pdsih'></bdo><ul id='Pdsih'></ul>

              <legend id='Pdsih'><style id='Pdsih'><dir id='Pdsih'><q id='Pdsih'></q></dir></style></legend>
                <tbody id='Pdsih'></tbody>
              1. <small id='Pdsih'></small><noframes id='Pdsih'>

              2. 本文介绍了为什么我们总是喜欢在 SQL 语句中使用参数?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

                问题描述

                我对使用数据库很陌生.现在我可以编写SELECTUPDATEDELETEINSERT 命令.但是我看过很多我们喜欢写的论坛:

                I am very new to working with databases. Now I can write SELECT, UPDATE, DELETE, and INSERT commands. But I have seen many forums where we prefer to write:

                SELECT empSalary from employee where salary = @salary
                

                ...而不是:

                SELECT empSalary from employee where salary = txtSalary.Text
                

                为什么我们总是喜欢使用参数,我将如何使用它们?

                Why do we always prefer to use parameters and how would I use them?

                我想知道第一种方法的用途和好处.我什至听说过 SQL 注入,但我并不完全了解它.我什至不知道 SQL 注入是否与我的问题有关.

                I wanted to know the use and benefits of the first method. I have even heard of SQL injection but I don't fully understand it. I don't even know if SQL injection is related to my question.

                推荐答案

                当数据库与桌面程序或网站等程序接口结合使用时,使用参数有助于防止SQL 注入攻击.

                Using parameters helps prevent SQL Injection attacks when the database is used in conjunction with a program interface such as a desktop program or web site.

                在您的示例中,用户可以通过在 txtSalary 中编写语句来直接在您的数据库上运行 SQL 代码.

                In your example, a user can directly run SQL code on your database by crafting statements in txtSalary.

                例如,如果他们要写0 OR 1=1,则执行的 SQL 将是

                For example, if they were to write 0 OR 1=1, the executed SQL would be

                 SELECT empSalary from employee where salary = 0 or 1=1
                

                由此将返还所有 empSalaries.

                whereby all empSalaries would be returned.

                此外,用户可能会对您的数据库执行更糟糕的命令,包括删除它如果他们写了 0;删除表员工:

                Further, a user could perform far worse commands against your database, including deleting it If they wrote 0; Drop Table employee:

                SELECT empSalary from employee where salary = 0; Drop Table employee
                

                employee 然后将被删除.

                就您而言,您似乎在使用 .NET.使用参数就像:

                In your case, it looks like you're using .NET. Using parameters is as easy as:

                string sql = "SELECT empSalary from employee where salary = @salary";
                
                using (SqlConnection connection = new SqlConnection(/* connection info */))
                using (SqlCommand command = new SqlCommand(sql, connection))
                {
                    var salaryParam = new SqlParameter("salary", SqlDbType.Money);
                    salaryParam.Value = txtMoney.Text;
                
                    command.Parameters.Add(salaryParam);
                    var results = command.ExecuteReader();
                }
                

                Dim sql As String = "SELECT empSalary from employee where salary = @salary"
                Using connection As New SqlConnection("connectionString")
                    Using command As New SqlCommand(sql, connection)
                        Dim salaryParam = New SqlParameter("salary", SqlDbType.Money)
                        salaryParam.Value = txtMoney.Text
                
                        command.Parameters.Add(salaryParam)
                
                        Dim results = command.ExecuteReader()
                    End Using
                End Using
                

                编辑 2016-4-25:

                Edit 2016-4-25:

                根据 George Stocker 的评论,我将示例代码更改为不使用 AddWithValue.此外,通常建议您将 IDisposable 包裹在 using 语句中.

                As per George Stocker's comment, I changed the sample code to not use AddWithValue. Also, it is generally recommended that you wrap IDisposables in using statements.

                这篇关于为什么我们总是喜欢在 SQL 语句中使用参数?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

                上一篇:在 SQL Server 中使用“Pivot"将行转换为列 下一篇:如何从 SQL Server 中的 SELECT 更新?

                相关文章

                  1. <tfoot id='w7a62'></tfoot>

                    <small id='w7a62'></small><noframes id='w7a62'>

                      <bdo id='w7a62'></bdo><ul id='w7a62'></ul>

                    <i id='w7a62'><tr id='w7a62'><dt id='w7a62'><q id='w7a62'><span id='w7a62'><b id='w7a62'><form id='w7a62'><ins id='w7a62'></ins><ul id='w7a62'></ul><sub id='w7a62'></sub></form><legend id='w7a62'></legend><bdo id='w7a62'><pre id='w7a62'><center id='w7a62'></center></pre></bdo></b><th id='w7a62'></th></span></q></dt></tr></i><div id='w7a62'><tfoot id='w7a62'></tfoot><dl id='w7a62'><fieldset id='w7a62'></fieldset></dl></div>

                    <legend id='w7a62'><style id='w7a62'><dir id='w7a62'><q id='w7a62'></q></dir></style></legend>