[Security] Always use parameterized queries
SQL databases are commonly used to store data; for example - your application could store user profile information in a database. Yous should never create inline SQL or other database queries in your code using raw user input and send it directly to the database; this behavior is a recipe for disaster, as we saw above.
For example - do not create code like the following inline SQL example:
string userName = Request.QueryString["username"]; // receive input from the user BEWARE!
...
string query = "SELECT * FROM [dbo].[users] WHERE userName = '" + userName + "'";
Here we concatenate text strings together to create the query, taking the input from the user and generating a dynamic SQL query to look up the user. Again, if a malicious user realized we were doing this, or just tried different input styles to see if there was a vulnerability, we could end up with a major disaster. Instead, use parameterized SQL statements or stored procedures such as this:
-- Lookup a user
CREATE PROCEDURE sp_findUser
(
@UserName varchar(50)
) SELECT * FROM [dbo].[users] WHERE userName = @UserName
With this method you can invoke the procedure from your code safely, passing it the userName string without worrying about it being treated as part of the SQL statement.
最新文章
- nginx下搭建CodeIgniter问题集锦
- readonly
- struct内存对齐1:gcc与VC的差别
- ArcGIS Viewer for Flex中引入google map作底图
- Coding 初级教程(一)——用GitHub的GUI客户端对Coding的项目进行管理
- Android中ListView中有button,checkbox,GridView时事件问题
- BZOJ 1588 营业额统计 Splay
- 技术贴 本地代码与svn关联教程 svn upgrade问题解决
- Kia's Calculation(贪心)
- 负载均衡集群之LVS持久链接
- CPU自制入门——笔记
- 动手Jquery插件
- tabBarItem动画
- js中的写出想jquery中的函数一样调用
- Winform DevExpress控件库(三) 使用NavBarControl控件定制导航栏
- noi.ac#309 Mas的童年(子集乱搞)
- MT2017笔试题
- LeetCode(116):填充同一层的兄弟节点
- 10.25 AITalkUat部署
- WebAssembly 浏览器中运行c/c++模块