使用SQL數據讀取器進行參數化查詢C＃

Question

我知道，非參數化查詢因SQL注入而被忽視。那麼，我的應用程序中有很多查詢容易受到SQL注入的影響。我似乎無法用SqlDataReader來包裹我的頭。我可以用ExecuteNonQuery而不是SQLDataReader。

有人可以給我一些指點和或要做到這一點的最佳方式的例子，執行查詢時，返回正是它應該，我只是想使它儘可能的安全....

代碼：

string myQuery = "Select [shoeSize] AS 'Shoe Size', [shoeBrand] AS 'Shoe Brand' FROM [myTable] " 
       + "WHERE [customerName] = '" + customer + "' AND " + "[customerPin] = '" + customerID + "'"; 

sqlCmd = new SqlCommand(myQuery, conn); 
sqlCmd.Connection.Open(); 
SqlDataReader rdr2 = sqlCmd.ExecuteReader(); 

    if (rdr2.HasRows) 
    { 
     rdr2.Read(); 

     shoeSize= rdr2["Shoe Size"].ToString();  
     shoeBrand= rdr2["Shoe Brand"].ToString(); 
    } 
    conn.close(); 

Answer 1

你去那裏

string myQuery = "Select [shoeSize] AS 'Shoe Size', [shoeBrand] AS 'Shoe Brand' FROM [myTable] " 
       + "WHERE [customerName] = @customerName AND [customerPin] = @customerID" 

sqlCmd = new SqlCommand(myQuery, conn); 
sqlCmd.Connection.Open(); 
sqlCmd.Parameters.AddWithValue("@customerName", customerName); 
sqlCmd.Parameters.AddWithValue("@customerID", customerID"); 
--rest stays the same as before 

而@customerName和@customerID現在是您的參數。所以，即使客戶的名字應該是「Bigler，Fabian'DROP TABLE [myTable]」，它也不會起作用。它完全消除了「邪惡」輸入改變查詢含義的可能性。

非參數化查詢不是簡單地'皺眉'。這對您，您的公司和 - 當然是您的客戶可能是災難性的。

Answer 2

像這樣：

 string myQuery = "Select [shoeSize] AS 'Shoe Size', [shoeBrand] AS 'Shoe Brand' FROM [myTable] " 
       + "WHERE [customerName] = @customerName AND [customerPin] = @customerPin"; 

     sqlCmd = new SqlCommand(myQuery, conn); 
     sqlCmd.Connection.Open(); 
     sqlCmd.Parameters.Add("@customerName", SqlDbType.NVarChar, 50).Value = customer; 
     sqlCmd.Parameters.Add("@customerPin", SqlDbType.NVarChar, 20).Value = customerID; 
     SqlDataReader rdr2 = sqlCmd.ExecuteReader(); 

     if (rdr2.HasRows) 
     { 
      rdr2.Read(); 

      shoeSize = rdr2["Shoe Size"].ToString(); 
      shoeBrand = rdr2["Shoe Brand"].ToString(); 
     } 
     conn.close();