当前位置:网站首页>Executing SQL statements with parameterized commands

Executing SQL statements with parameterized commands

2022-06-24 18:39:00 MousseIn

Parameterized command execution sql sentence

Understand the benefits of parameterized instructions

  • prevent sql Inject

string sb = “SELECT *FROM admin WHERE loginid =’”+loginId+"‘AND loginPwd =’"+logingPwd+"’"
string sb =“SELECT * FROM admin WHERE loginid =” or 1=1 --AND loginPwd = ‘xxx’

Use this splicing method , Two disadvantages :

  • Not beautiful , And it's easy to make mistakes .
  • Poor safety , Easy to be sql Injection attack .

Examples are as follows :

using System;
using System.Collections.Generic;
using System.Data.SqlClient;
using System.Linq;
using System.Text;
using System.Threading.Tasks;


namespace CH03
{
    
    class Program
    {
    
        static void Main(string[] args)
        {
    
            Console.WriteLine(" Please enter a user name :");
            string name = Console.ReadLine();
            Console.WriteLine(" Please input a password :");
            string pwd = Console.ReadLine();
            int count = 0;
            string conStr = "data source=(local);database=MySchool;uid=sa;pwd=123456";
            using (SqlConnection con = new SqlConnection(conStr))
            {
    
                con.Open();
                string sql = "select count(*) from dbo.student where studentno = "+ name +" and loginpwd = '"+pwd +"'";
                SqlCommand cmd = new SqlCommand(sql,con);
                count = Convert.ToInt32(cmd.ExecuteScalar());


            }
            if (count > 0)
            {
    
                Console.WriteLine(" Landing successful !");
            }
            else
            {
    
                Console.WriteLine(" Login failed !");
            }
            Console.ReadKey();
        }
    }
}

I use count This parameter is used to receive the number of affected rows returned , If the number of returned rows is greater than zero , Login succeeded , If the number of returned rows is less than zero , Login failed .
If we enter... In the user name column "3 or 1=1 --" The original statement to go to the database 

select count(*) from dbo.student  where studentno =  '23214' and loginpwd = '0000'

Turned into 

select count(*) from dbo.student  where studentno =  3 or 1 = 1 -- and loginpwd = '123456'

Heng holds and the database password is commented out .
Execution results count The return value is fixed to have a value , Therefore, the login is successful .
Parameterized query is an implementation that can effectively avoid the above drawbacks sql How statements work .

Master the use of parameterized instructions to execute sql sentence

Use @ Construct parameterization sql command

sqlParameter object

  • and “@” The decorated parameters correspond to each other , To replace this parameter
    adopt Commend Of Parameters Attribute addition SqlParameter object

SqlParameter Properties of

  • DbType The data type of the corresponding database
  • Direction Parameters can only be entered 、 No output 、 Bidirectional or stored procedure return value parameter
  • IsNullable Whether the parameter accepts null values
  • ParameterName Name of parameter
  • Size The maximum size of the data corresponding to the parameter
  • SqlDbType SQL Server The data type of the database
  • Value The value of the parameter

Use SqlCommmand Perform parameterization SQL Steps for

  • Construct database link objects
  • Construct parameterization SQL sentence
  • structure SqlParameter object
  • establish SqlCommand object , Use SqlParameter Object fill data
  • Open database link , perform SqlCommand command

Examples are as follows :

using System;
using System.Collections.Generic;
using System.Data.SqlClient;
using System.Linq;
using System.Text;
using System.Threading.Tasks;


namespace CH03
{
    
    class Program
    {
    
        static void Main(string[] args)
        {
    
            Console.WriteLine(" Please enter a user name :");
            string name = Console.ReadLine();
            Console.WriteLine(" Please input a password :");
            string pwd = Console.ReadLine();
            int count = 0;
            string conStr = "data source=(local);database=MySchool;uid=sa;pwd=123456";
            using (SqlConnection con = new SqlConnection(conStr))
            {
    
                con.Open();
                // Build parameterization sql sentence 
                string sql = "select count(*) from student where studentno [email protected] and loginpwd = @pwd";
                // Build the value to replace , structure sqlparameter object 
                SqlParameter[] par = {
    
                                     new SqlParameter("@n",name),// relation 
                                     new SqlParameter("@pwd",pwd)
                                     };
                //string sql = "select count(*) from dbo.student where studentno = "+ name +" and loginpwd = '"+pwd +"'";
                SqlCommand cmd = new SqlCommand(sql,con);
                cmd.Parameters.AddRange(par);// Add a parameterized array to cmd in 
                count = Convert.ToInt32(cmd.ExecuteScalar());


            }
            if (count > 0)
            {
    
                Console.WriteLine(" Landing successful !");
            }
            else
            {
    
                Console.WriteLine(" Login failed !");
            }
            Console.ReadKey();
        }
    }
}

Input again sql Injection method :
Incoming sql Statement for :
select count(*) from student where studentno [email protected] and loginpwd = @pwd
Rather than using + No sql sentence .
The advantage is that :

  • High safety , Effectively avoid SQL Inject
  • The code is simple and beautiful
原网站

版权声明
本文为[MousseIn]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/02/202202211332353847.html

边栏推荐

猜你喜欢

随机推荐