SQL databases are commonly used to store data; for example - your application could store user profile information in a database. Yous should never create inline SQL or other database queries in your code using raw user input and send it directly to the database; this behavior is a recipe for disaster, as we saw above.
For example - do not create code like the following inline SQL example:
string userName = Request.QueryString["username"]; // receive input from the user BEWARE! ... string query = "SELECT * FROM [dbo].[users] WHERE userName = ‘" + userName + "‘";
Here we concatenate text strings together to create the query, taking the input from the user and generating a dynamic SQL query to look up the user. Again, if a malicious user realized we were doing this, or just tried different input styles to see if there was a vulnerability, we could end up with a major disaster. Instead, use parameterized SQL statements or stored procedures such as this:
-- Lookup a user CREATE PROCEDURE sp_findUser ( @UserName varchar(50) ) SELECT * FROM [dbo].[users] WHERE userName = @UserName
With this method you can invoke the procedure from your code safely, passing it the userName string without worrying about it being treated as part of the SQL statement.
[Security] Always use parameterized queries
原文:https://www.cnblogs.com/Answer1215/p/11925645.html