var retval = db.TestTable.SqlQuery("SELECT * FROM dbo.TestTable WHERE " + aColumn + " = '" + passedInValue + "'");
// normally when using parameters I would do something like this:
var valueParam = SqlParameter("aValue", passedInValues);
var retval = db.TestTable.SqlQuery("SELECT * FROM dbo.TestTable WHERE Column1 = @aValue", valueParam);
// NOTE: I would not do this at all. I know to use LINQ. But for this question, I'm concentrating on the issue of passing variables to a raw sql string.
但因爲這兩個列和值是「參數」中:使原始的SQL安全實體框架
var retval = db.TestTable.SqlQuery("SELECT * FROM dbo.TestTable WHERE " + aColumn + " = '" + passedInValue + "'");
,有防止SQL注入兩個?
你能對你的解答的第一部分擴大? 'whilelist'aColumn'是什麼意思? –
@DaBest Whitelist列:如果'aColumn'在已知列的列表中不完全匹配,則失敗:'if(!safeColumList.Contains(aColumn))throw new SecurityException(「Hacker !!」);'。 – Richard