问题
I'm talking about Delphi + ADO + MSSQL. Okay, I know that queries with parameters are quite safe against SQL-injections. On the other hand, dynamic queries are quite not safe. But what about classic FieldByName methods? Can I safely assign to FieldByName an ABSOLUTELY any string value, without risking to have an injection?
回答1:
It is safe. Ado is using parameters for Update/Insert/Delete.
You can trace this with SQLProfile, e.g.
exec sp_executesql N'UPDATE "test".."Activity" SET "data"=@P1 WHERE "InvokeTime"=@P2 AND "data"=@P3',N'@P1 float,@P2 datetime,@P3 float',1,'2013-04-24 10:46:22.933',0,48607825089780715
exec sp_executesql N'INSERT INTO "test".."Activity" ("InvokeTime","data") VALUES (@P1,@P2)',N'@P1 datetime,@P2 float','2000-01-01 00:00:00',2
exec sp_executesql N'DELETE FROM "test".."Activity" WHERE "InvokeTime"=@P1 AND "data"=@P2',N'@P1 datetime,@P2 float','2000-01-01 00:00:00',3
来源:https://stackoverflow.com/questions/17209680/is-fieldbyname-injection-safe