问题
I have two SQL queries in which I'm trying to update sup and opp values with +1 and -1 respectively each time the query is called.
First query:
query=update disc set sup=@sup, opp=@opp where did=@did
int sup=getnoofsup(did);
int opp = getnoofopp(did);
com.Parameters.AddWithValue("@sup", sups + 1);
com.Parameters.AddWithValue("@opp", opps - 1);
com.Parameters.AddWithValue("@did", did);
com.ExecuteNonQuery();
Second query
string query="update disc set sup=sup+1, opp=opp-1 where did=@did" ;
com.Parameters.AddWithValue("@did", did);
com.ExecuteNonQuery();
Is there any threat in second query of injection because I exchange @sup with sup+1?
回答1:
No, the second query is as secure as the first one, because it is fully parameterized, and therefore does not present a path through which an external data could enter the text of the SQL query itself. The sup+1 expression is calculated by the RDBMS, not by your program*, so it cannot present an opportunity to inject new code into the existing SQL.
* and it is not subsequently presented to SQL's exec stored procedure for re-interpretation.
回答2:
Both queries are equally secure against Sql Injection but
com.Parameters
is alway preferable.
回答3:
Second Query is better.
string query="update disc set sup=sup+1, opp=opp-1 where did=@did" ;
com.Parameters.AddWithValue("@did", didparameter);
com.ExecuteNonQuery();
回答4:
both the query are secure but second one is more preferable because u don't need to add extra parameter.
In first query u r finding the value of sup and opp which u don't need to have.
来源:https://stackoverflow.com/questions/13932068/which-sql-query-is-more-secure-in-terms-of-sql-injection