当前位置：网站首页>Executing SQL statements with parameterized commands

Executing SQL statements with parameterized commands

2022-06-24 18:39:00 【MousseIn】

Parameterized command execution sql sentence

Understand the benefits of parameterized instructions
Master the use of parameterized instructions to execute sql sentence
- Use @ Construct parameterization sql command

Understand the benefits of parameterized instructions

prevent sql Inject

string sb = “SELECT *FROM admin WHERE loginid =’”+loginId+"‘AND loginPwd =’"+logingPwd+"’"
string sb =“SELECT * FROM admin WHERE loginid =” or 1=1 --AND loginPwd = ‘xxx’

Use this splicing method , Two disadvantages ：

Not beautiful , And it's easy to make mistakes .
Poor safety , Easy to be sql Injection attack .

Examples are as follows ：

using System;
using System.Collections.Generic;
using System.Data.SqlClient;
using System.Linq;
using System.Text;
using System.Threading.Tasks;


namespace CH03
{
    
    class Program
    {
    
        static void Main(string[] args)
        {
    
            Console.WriteLine(" Please enter a user name ：");
            string name = Console.ReadLine();
            Console.WriteLine(" Please input a password ：");
            string pwd = Console.ReadLine();
            int count = 0;
            string conStr = "data source=(local);database=MySchool;uid=sa;pwd=123456";
            using (SqlConnection con = new SqlConnection(conStr))
            {
    
                con.Open();
                string sql = "select count(*) from dbo.student where studentno = "+ name +" and loginpwd = '"+pwd +"'";
                SqlCommand cmd = new SqlCommand(sql,con);
                count = Convert.ToInt32(cmd.ExecuteScalar());


            }
            if (count > 0)
            {
    
                Console.WriteLine(" Landing successful !");
            }
            else
            {
    
                Console.WriteLine(" Login failed ！");
            }
            Console.ReadKey();
        }
    }
}

I use count This parameter is used to receive the number of affected rows returned , If the number of returned rows is greater than zero , Login succeeded , If the number of returned rows is less than zero , Login failed .
If we enter... In the user name column "3 or 1=1 --" The original statement to go to the database

select count(*) from dbo.student  where studentno =  '23214' and loginpwd = '0000'

Turned into

select count(*) from dbo.student  where studentno =  3 or 1 = 1 -- and loginpwd = '123456'

Heng holds and the database password is commented out .
Execution results count The return value is fixed to have a value , Therefore, the login is successful .
Parameterized query is an implementation that can effectively avoid the above drawbacks sql How statements work .

Master the use of parameterized instructions to execute sql sentence

Use @ Construct parameterization sql command

sqlParameter object

and “@” The decorated parameters correspond to each other , To replace this parameter
adopt Commend Of Parameters Attribute addition SqlParameter object

SqlParameter Properties of

DbType The data type of the corresponding database
Direction Parameters can only be entered 、 No output 、 Bidirectional or stored procedure return value parameter
IsNullable Whether the parameter accepts null values
ParameterName Name of parameter
Size The maximum size of the data corresponding to the parameter
SqlDbType SQL Server The data type of the database
Value The value of the parameter

Use SqlCommmand Perform parameterization SQL Steps for

Construct database link objects
Construct parameterization SQL sentence
structure SqlParameter object
establish SqlCommand object , Use SqlParameter Object fill data
Open database link , perform SqlCommand command

Examples are as follows ：

using System;
using System.Collections.Generic;
using System.Data.SqlClient;
using System.Linq;
using System.Text;
using System.Threading.Tasks;


namespace CH03
{
    
    class Program
    {
    
        static void Main(string[] args)
        {
    
            Console.WriteLine(" Please enter a user name ：");
            string name = Console.ReadLine();
            Console.WriteLine(" Please input a password ：");
            string pwd = Console.ReadLine();
            int count = 0;
            string conStr = "data source=(local);database=MySchool;uid=sa;pwd=123456";
            using (SqlConnection con = new SqlConnection(conStr))
            {
    
                con.Open();
                // Build parameterization sql sentence 
                string sql = "select count(*) from student where studentno [email protected] and loginpwd = @pwd";
                // Build the value to replace , structure sqlparameter object 
                SqlParameter[] par = {
    
                                     new SqlParameter("@n",name),// relation 
                                     new SqlParameter("@pwd",pwd)
                                     };
                //string sql = "select count(*) from dbo.student where studentno = "+ name +" and loginpwd = '"+pwd +"'";
                SqlCommand cmd = new SqlCommand(sql,con);
                cmd.Parameters.AddRange(par);// Add a parameterized array to cmd in 
                count = Convert.ToInt32(cmd.ExecuteScalar());


            }
            if (count > 0)
            {
    
                Console.WriteLine(" Landing successful !");
            }
            else
            {
    
                Console.WriteLine(" Login failed ！");
            }
            Console.ReadKey();
        }
    }
}

Input again sql Injection method ：
Incoming sql Statement for ：
select count(*) from student where studentno [email protected] and loginpwd = @pwd
Rather than using + No sql sentence .
The advantage is that ：