发表新帖
发表新帖

Using SqlParameter to create Order By clause

前端 未结
关注
5 2263
一向
一向 2020-12-31 06:52

I am trying to move all of my references to variables in SQL statements to the SqlParameter class however for some reason this query fails.

string orderBy =
5条回答
  • 情深已故
    情深已故 (楼主)
    2020-12-31 07:20

    Using SqlCommand is the way to prevent from sql injection. Your way of changing of the order by is the same as using sql injection in this context so it shouldnt be allowed - params are used as the constants, can't be used as column or table names.

    u dont have to concatenate content of sortBy just use it as enum and depending on its value concatenate something you're sure that is safe. Like this:

    If(orderBy == "some_column")
{
   selectColumn += "someColumn";
}
...

    0 讨论(0)
 看不清?
提交回复
热议问题