不,你在安全方面不。即使dataChoosed
是一个无辜的整数值,坏男孩可以用,比如说,负值格式伤害你:
// It's good old "-1", with a bit strange format
// (let use "delete from table commit;" as an injection)
string dataChoosed = "1'; delete from table commit; --1";
// A little hack: let "-" sign be...
CultureInfo hacked = new CultureInfo("en-US");
hacked.NumberFormat.NegativeSign = "1'; delete from table commit; --";
Thread.CurrentThread.CurrentCulture = hacked;
if (dataChoosed != "randomValue")
{
int v;
// since "1'; delete from table commit; --1" is of correct fotmat it will be parsed
if (int.TryParse(dataChoosed, out v))
sCondition = " WHERE RandomField = '" + dataChoosed + "' ";
}
cd.CommandText = "SELECT xData FROM table " + sCondition + "GROUP BY xxx";
而且,荣辱与共!我的桌子在哪儿?该命令文本将
SELECT xData FROM table = '1'; delete from table commit; --1'GROUP BY xxx
这是efficently 查询:
SELECT xData FROM table = '1'; -- the innocent one
delete from table commit; -- an arbitrary query from the attacker
(我已经删除注释掉--1'GROUP BY xxx
片段)
请使用参数,不要诱惑我们。请注意,您不想更改代码:您只需在Windows中更改区域设置。
您应该使用参数。将SQL与参数连接起来没有任何问题。 – SLaks
请务必使用参数,另请参见[最佳实践 - 执行Sql语句](http://stackoverflow.com/documentation/.net/3589/ado-net/14261/best-practices-executing-sql-statements)以获取更多信息和希望。 – Igor
“选择”的过去分词是“选择”,而不是“选择”。如果变量名称在其中有正确的拼写,它会让其他人更容易查看你的代码:) –