问题
I am analyzing my code and got this security issue:
CA2100 Review SQL queries for security vulnerabilities The query string passed to 'SqlDataAdapter.SqlDataAdapter(string, SqlConnection)' in 'Add_item.loadgrid()' could contain the following variables 'Login.dbName'. If any of these variables could come from user input, consider using a stored procedure or a parameterized SQL query instead of building the query with string concatenations. Login Add_item.cs 64
This is the highlighted code:
SqlDataAdapter da = new SqlDataAdapter("SELECT Newjob FROM [" + Login.dbName + "].newjob", connection. conn );
回答1:
This is what is commonly known as a SQL Injection vulnerability. Instead of concatenating values into a string and passing that string to the SQL Server, you should use sqlParameter objects.
来源:https://stackoverflow.com/questions/19851722/how-can-i-fix-ca2100-review-sql-queries-for-security-vulnerabilities-issue