问题
How can I prevent sql injection when programming against OrientDb using the OrientDB-NET.binary? Is there a way to escape special characters for Orient-SQL and work with string literals?
Example: I want to store this literal: me' or 1 = 1 ),'// and then be able to query it like
select from MyVertex where text = '...'
I'm having trouble doing this in OrientDb studio too.
I have found this post which is related to the Java driver, so I was wondering if there is something similar for .NET.
回答1:
You need to use parameterized queries.
These are queries that separate data from syntax, which is the root problem behind SQL injection.
In C#, using the OrientDB-NET binary, you want to do something like this (adapted from the OrientDB-NET wiki:
using (ODatabase database = new ODatabase("yourDatabase"))
{
PreparedQuery query = new PreparedQuery("SELECT FROM MyVertex WHERE text = ?");
var selectedValue = database
.Query(query)
.Run([***Your Input Here***])
.SingleOrDefault();
var text = selectedValue.GetField<string>("text");
}
You can check out the OrientDB-NET unit tests for PreparedQuery to see more examples of how you might do this.
来源:https://stackoverflow.com/questions/27843190/orientdb-sql-injection-and-escaping-characters