How does SQLParameter prevent SQL Injection?

后端 未结 4 1429
借酒劲吻你
借酒劲吻你 2020-11-22 07:59

What exactly is going on in the background that makes it so SQLParameter prevents SQL Inection attacks in a .NET Parameterized query? Is it just stripping out any suspect c

4条回答
  •  深忆病人
    2020-11-22 08:20

    When using parameterized queries, the attack surface is reduced to monkeying around with the parameters.

    Do use SqlParameters, but don't forget about overflow, underflow and unvalidated parameters. For example, if the method is "proc buy_book (@price money)", a malicious attacker would attempt to trick the application to running with @price set to 0.01, or attempting to get the application to do something interesting by submitting something that causes an overflow. Sql Overflows tend not to be interesting (i.e. they just cause exceptions, you are unlikely to be able to write to adjacent memory)

提交回复
热议问题