.net - Algorithm to avoid SQL injection on MSSQL Server from C# code?

Question

Ask a Question

Welcome To Ask or Share your Answers For Others

.net - Algorithm to avoid SQL injection on MSSQL Server from C# code?

asked Oct 17, 2021 in Technique[技术] by 深蓝 (71.8m points)

What would be the best way to avoid SQL injection on the C#.net platform.

Please post an C# implementation if you have any.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

315 views

1 Answer

深蓝 · Answer 1 · 2021-10-17T00:46:15+0000

There's no algorithm needed - just don't use string concatenation to build SQL statements. Use the SqlCommand.Parameters collection instead. This does all the necessary escaping of values (such as replacing ' with '') and ensures the command will be safe because somebody else (i.e. Microsoft) has done all the testing.

e.g. calling a stored procedure:

using (var connection = new SqlConnection("..."))
using (var command = new SqlCommand("MySprocName", connection))
{
    command.CommandType = CommandType.StoredProcedure;
    command.Parameters.AddWithValue("@Param1", param1Value);
    return command.ExecuteReader();
}

This technique also works for inline SQL statements, e.g.

var sql = "SELECT * FROM MyTable WHERE MyColumn = @Param1";
using (var connection = new SqlConnection("..."))
using (var command = new SqlCommand(sql, connection))
{
    command.Parameters.AddWithValue("@Param1", param1Value);
    return command.ExecuteReader();
}

Categories

.net - Algorithm to avoid SQL injection on MSSQL Server from C# code?

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags