How do I re-write a SQL query as a parameterized query?

后端未结

关注

 2  799

I have heard that I can prevent SQL injection attacks by using parameterized queries, but I do not know how to write them.

How would I write the following as a param

相关标签:

2条回答

暖寄归人

2020-11-29 14:39

You need to use parameters instead of just concatenating together your SQL:

using (SqlConnection con = new SqlConnection(--your-connection-string--))
using (SqlCommand cmd = new SqlCommand(con))
{
    string query = "SELECT distinct ha FROM app WHERE 1+1=2";

    if (comboBox1.Text != "")
    {
        // add an expression with a parameter
        query += " AND firma = @value1 ";

        // add parameter and value to the SqlCommand
        cmd.Parameters.Add("@value1", SqlDbType.VarChar, 100).Value = comboBox1.Text; 
    }

    .... and so on for all the various parameters you want to add

    cmd.CommandText = query;

    con.Open();

    using (SqlDataReader reader = cmd.ExecuteReader())
    {
         while(reader.Read())
         {
             // do something with reader -read values 
         }

         reader.Close();
    }

    con.Close();
}

0 讨论(0)

小蘑菇

2020-11-29 14:52
instead of comboBox1.Text use parameters like @firma
```
command.Parameters.Add("@firma", SqlDbType.Varchar);
command.Parameters["@firma"].Value = comboBox1.Text;

 query += " AND firma = @firma ";
```
apply this to all parameters
0 讨论(0)
发布评论:

提交评论
- 加载中...