Avoiding SQL Injection in SQL query with Like Oper

2020-02-05 17:33发布

站内问答 / 前端开发
1363 4 4

Taking over some code from my predecessor and I found a query that uses the Like operator:

SELECT * FROM suppliers WHERE supplier_name like '%'+name+%';

Trying to avoid SQL Injection problem and parameterize this but I am not quite sure how this would be accomplished. Any suggestions ?

note, I need a solution for classic ADO.NET - I don't really have the go-ahead to switch this code over to something like LINQ.

4条回答
疯言疯语
2楼-- · 2020-02-05 17:55

Short Anwser:

1) name.Replace("'", "''").... Replace any escape characters that your database may have (single quotes being the most common)

2) if you are using a language like .net use Parameterized Queries

sql="Insert into Employees (Firstname, Lastname, City, State, Zip, Phone, Email) Values ('" & frmFirstname.text & "', '" & frmLastName & "', '" & frmCity & "', '" & frmState & "', '" & frmZip & "', '" & frmPhone & "', '" & frmEmail & "')"

The above gets replaced with the below

Dim MySQL as string = "Insert into NewEmp (fname, LName, Address, City, State, Postalcode, Phone, Email) Values (@Firstname, @LastName, @Address, @City, @State, @Postalcode, @Phone, @Email)" 

With cmd.Parameters:
    .Add(New SQLParameter("@Firstname", frmFname.text))
    .Add(New SQLParameter("@LastName", frmLname.text))
    .Add(New SQLParameter("@Address", frmAddress.text))
    .Add(New SQLParameter("@City", frmCity.text))
    .Add(New SQLParameter("@state", frmState.text))
    .Add(New SQLParameter("@Postalcode", frmPostalCode.Text))
    .Add(New SQLParameter("@Phone", frmPhone.text))
    .Add(New SQLParameter("@email", frmemail.text))
end with

3) user Stored procs

4) use Linq to SQL, again if you are using .net

查看更多
0人赞 添加讨论(0) 举报
混吃等死
3楼-- · 2020-02-05 18:04

In Entity Framework 6 it could be done like this by Native SQL:

List<Person> peopleList = contex.People.SqlQuery(
    @"SELECT * FROM [Person].[Person]
       WHERE [FirstName] LIKE N'%' + @p0 + '%' ", "ab").ToList();

Or

List<Person> peopleList = contex.People.SqlQuery(
    @"SELECT * FROM [Person].[Person]
       WHERE [FirstName] LIKE N'%' + @name + '%' ",
    new SqlParameter("@name", "ab")).ToList();

Also, you can just use LINQ to Entities directly:

List<Person> peopleList1 = contex.People.Where(s => s.FirstName.Contains("ab")).ToList();
查看更多
0人赞 添加讨论(0) 举报
▲ chillily
4楼-- · 2020-02-05 18:07

Simply parameterize your query:

SELECT * FROM suppliers WHERE supplier_name like '%' + @name + '%'

Now you can pass your "name" variable into the @name parameter and the query will execute without any danger of injection attacks. Even if you pass in something like "'' OR true --" it'll still work fine.

查看更多
0人赞 添加讨论(0) 举报
虎瘦雄心在
5楼-- · 2020-02-05 18:12

try this: 

var query = "select * from foo where name like @searchterm";
using (var command = new SqlCommand(query, connection))
{
  command.Parameters.AddWithValue("@searchterm", String.Format("%{0}%", searchTerm));
  var result = command.ExecuteReader();
}

the framework will automatically deal with the quoting issues.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)