众所周知,.net使用参数的方式可以避免注入的问题,但是审核代码时注意不要被String.Format格式化字符串的代码欺骗:
String sql = String.Format("select * from [users] where username='{0}'", Request.QueryString["username"]);
![](/Images/OutliningIndicators/None.gif)
这个代码等价于:
String sql = "select * from [users] where username='" + Request.QueryString["username"] + "'";
![](/Images/OutliningIndicators/None.gif)
![](/Images/OutliningIndicators/None.gif)
![](/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/dot.gif)
这个代码等价于:
![](/Images/OutliningIndicators/None.gif)
![](/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/dot.gif)