[Security] Always use parameterized queries
SQL databases are commonly used to store data; for example - your application could store user profile information in a database. Yous should never create inline SQL or other database queries in your code using raw user input and send it directly to the database; this behavior is a recipe for disaster, as we saw above.
For example - do not create code like the following inline SQL example:
string userName = Request.QueryString["username"]; // receive input from the user BEWARE! ... string query = "SELECT * FROM [dbo].[users] WHERE userName = '" + userName + "'";
Here we concatenate text strings together to create the query, taking the input from the user and generating a dynamic SQL query to look up the user. Again, if a malicious user realized we were doing this, or just tried different input styles to see if there was a vulnerability, we could end up with a major disaster. Instead, use parameterized SQL statements or stored procedures such as this:
-- Lookup a user CREATE PROCEDURE sp_findUser ( @UserName varchar(50) ) SELECT * FROM [dbo].[users] WHERE userName = @UserName
With this method you can invoke the procedure from your code safely, passing it the userName
string without worrying about it being treated as part of the SQL statement.
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步