如何將SQL查詢重寫爲參數化查詢？

Question

我聽說我可以通過使用參數化查詢來防止SQL注入攻擊，但我不知道如何編寫它們。

我該如何將以下內容寫入參數化查詢？

SqlConnection con = new SqlConnection(
    "Data Source=" + globalvariables.hosttxt + "," + globalvariables.porttxt + "\\SQLEXPRESS;" + 
    "Database=ha;" + 
    "Persist Security Info=false;" + 
    "UID='" + globalvariables.user + "';" + 
    "PWD='" + globalvariables.psw + "'"); 

string query = "SELECT distinct ha FROM app WHERE 1+1=2"; 

if (comboBox1.Text != "") 
{ 
    query += " AND firma = '" + comboBox1.Text + "'"; 
} 

if (comboBox2.Text != "") 
{ 
    query += " AND type = '" + comboBox2.Text + "'"; 
} 

if (comboBox3.Text != "") 
{ 
    query += " AND farve = '" + comboBox3.Text + "'"; 
} 

SqlCommand mySqlCmd = con.CreateCommand(); 
mySqlCmd.CommandText = query; 

con.Open(); 
… 

Answer 1

您需要使用參數，而不僅僅是串聯起來你的SQL：

using (SqlConnection con = new SqlConnection(--your-connection-string--)) 
using (SqlCommand cmd = new SqlCommand(con)) 
{ 
    string query = "SELECT distinct ha FROM app WHERE 1+1=2"; 

    if (comboBox1.Text != "") 
    { 
     // add an expression with a parameter 
     query += " AND firma = @value1 "; 

     // add parameter and value to the SqlCommand 
     cmd.Parameters.Add("@value1", SqlDbType.VarChar, 100).Value = comboBox1.Text; 
    } 

    .... and so on for all the various parameters you want to add 

    cmd.CommandText = query; 

    con.Open(); 

    using (SqlDataReader reader = cmd.ExecuteReader()) 
    { 
     while(reader.Read()) 
     { 
      // do something with reader -read values 
     } 

     reader.Close(); 
    } 

    con.Close(); 
} 

Answer 2

，而不是comboBox1.Text使用參數，如@firma

command.Parameters.Add("@firma", SqlDbType.Varchar); 
command.Parameters["@firma"].Value = comboBox1.Text; 

query += " AND firma = @firma "; 

將此所有參數