发表新帖
发表新帖

How do I protect this function from SQL injection?

前端 未结
关注
11 1174
独厮守ぢ
独厮守ぢ 2020-12-16 18:47 
public static bool TruncateTable(string dbAlias, string tableName)
{
    string sqlStatement = string.Format(\"TRUNCATE TABLE {0}\", tableName);
    return ExecuteNo
11条回答
  • 再見小時候
    再見小時候 (楼主)
    2020-12-16 19:08

    If you can't use parameterized queries (and you should) ... a simple replace of all instances of ' with '' should work.

    string sqlStatement = string.Format("TRUNCATE TABLE {0}", tableName.Replace("'", "''"));

    0 讨论(0)
 看不清?
提交回复
热议问题