c# - Avoiding SQL Injections with Parameters by C#?
问题描述
I have recently adjusted my code to avoid getting SQL injections for maria db and got helped with adding parameters ,when I using parameters method page got running time error
strSQL = "SELECT * from user where uid = @uid AND start >= @StartDate AND end <= @EndDate ";
DataSet ds = QueryDataSet(strSQL, uid , StartDate, EndDate);
public DataSet QueryDataSet(string strSQL,string uid , string StartDate, string EndDate)
{
try
{
MySqlDataAdapter da = new MySqlDataAdapter(strSQL, DBconn);
da.SelectCommand.Parameters.AddWithValue("@uid", uid );
da.SelectCommand.Parameters.AddWithValue("@StartDate", StartDate);
da.SelectCommand.Parameters.AddWithValue("@EndDate", EndDate);
DataSet ds = new DataSet();
da.Fill(ds);
return ds;
}
catch (Exception ex)
//catch
{
throw (new System.Exception(ex.Message));
}
}
I am relatively new to using maria db so any help is appreciated
解决方案
If you want to avoid SQL injections, another approach besides parametrized queries is stored procedures.
You can read it from here => https://www.techonthenet.com/mariadb/procedures.php or you can research on your own.
Demo way of calling a stored procedure in an ASP.NET application:
using (MySqlConnection con = new MySqlConnection(constr))
{
using (MySqlCommand cmd = new MySqlCommand("Customers_GetCustomer", con))
{
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.AddWithValue("@CustId", customerId);
using (MySqlDataAdapter sda = new MySqlDataAdapter(cmd))
{
DataTable dt = new DataTable();
sda.Fill(dt);
GridView1.DataSource = dt;
GridView1.DataBind();
}
}
}
(Code taken from https://www.aspsnippets.com/Articles/Call-MySql-Stored-Procedure-with-Parameters-in-ASPNet-C-and-VBNet.aspx)
推荐阅读
- php - date() 为一年中的第一天返回错误的周数
- javascript - 如何在反应中制作图像数组
- python - 添加到关于如何使文本在每行上打印 1 个句子的旧问题
- mysql - 带有变量的表中的值
- macos - 使用软件包制作安装程序 - 致用户/应用程序支持
- kubernetes - 如何在 K8s 上重新部署 Neo4j 数据库但不删除持久卷后恢复它?
- c++ - ESP32 HTTPS POST JSON 到 AWS
- javascript - 我们如何在服务器文件中获取在浏览器中输入的 url?
- flutter - 溢出时灵活滚动内容
- ansible - 为清晰起见,ansible adhoc 任务由主机单独输出