我想生成一个像这样的SQL查询字符串:
<div id=container>
<input type=radio name=select id=sel1>
<input type=radio name=select id=sel2>
<input type=radio name=select id=sel3>
<input type=radio name=select id=sel4>
<label class=left id=radio1_left for=sel1><img src="http://i.imgur.com/krGCplJ.png" alt=left></label>
<label class=right id=radio1_right for=sel1><img src="http://i.imgur.com/clLE3Db.png" alt=right></label>
<label class=left id=radio2_left for=sel2><img src="http://i.imgur.com/krGCplJ.png" alt=left></label>
<label class=right id=radio2_right for=sel2><img src="http://i.imgur.com/clLE3Db.png" alt=right></label>
<label class=left id=radio3_left for=sel3><img src="http://i.imgur.com/krGCplJ.png" alt=left></label>
<label class=right id=radio3_right for=sel3><img src="http://i.imgur.com/clLE3Db.png" alt=right></label>
<label class=left id=radio4_left for=sel4><img src="http://i.imgur.com/krGCplJ.png" alt=left></label>
<label class=right id=radio4_right for=sel4><img src="http://i.imgur.com/clLE3Db.png" alt=right></label>
<div id=canvas><img src="http://i.imgur.com/64v1WY4.jpg" alt=pic id=pic1><img src="http://i.imgur.com/jy9liDm.jpg" alt=pic id=pic2><img src="http://i.imgur.com/WdZd6J1.jpg" alt=pic id=pic3><img src="http://i.imgur.com/aLFYMgm.jpg" alt=pic id=pic4></div>
</div>如果插入了一些实际值而不是符号INSERT INTO students (id, name) VALUES (?, ?);
,我该如何避免可能的sql注入?
?是否有任何函数在C#中准备参数?逃避斜线或报价?请注意,我没有与SQL服务器的任何连接,并且不希望使用EntityFramework。
答案 0 :(得分:1)
使用参数化SQL查询详细检查此link
以下是来自实体框架
的相同链接的示例代码using (AdventureWorksEntities context = new AdventureWorksEntities())
{
// Create a query that takes two parameters.
string queryString =
@"SELECT VALUE Contact FROM AdventureWorksEntities.Contacts
AS Contact WHERE Contact.LastName = @ln AND
Contact.FirstName = @fn";
ObjectQuery<Contact> contactQuery =
new ObjectQuery<Contact>(queryString, context);
// Add parameters to the collection.
contactQuery.Parameters.Add(new ObjectParameter("ln", "Adams"));
contactQuery.Parameters.Add(new ObjectParameter("fn", "Frances"));
// Iterate through the collection of Contact items.
foreach (Contact result in contactQuery)
Console.WriteLine("Last Name: {0}; First Name: {1}",
result.LastName, result.FirstName);
}
对于ADO.NET,请使用此link
以下是来自同一链接的示例代码
using System;
using System.Data;
using System.Data.SqlClient;
class Program
{
static void Main()
{
string connectionString =
"Data Source=(local);Initial Catalog=Northwind;"
+ "Integrated Security=true";
// Provide the query string with a parameter placeholder.
string queryString =
"SELECT ProductID, UnitPrice, ProductName from dbo.products "
+ "WHERE UnitPrice > @pricePoint "
+ "ORDER BY UnitPrice DESC;";
// Specify the parameter value.
int paramValue = 5;
// Create and open the connection in a using block. This
// ensures that all resources will be closed and disposed
// when the code exits.
using (SqlConnection connection =
new SqlConnection(connectionString))
{
// Create the Command and Parameter objects.
SqlCommand command = new SqlCommand(queryString, connection);
command.Parameters.AddWithValue("@pricePoint", paramValue);
// Open the connection in a try/catch block.
// Create and execute the DataReader, writing the result
// set to the console window.
try
{
connection.Open();
SqlDataReader reader = command.ExecuteReader();
while (reader.Read())
{
Console.WriteLine("\t{0}\t{1}\t{2}",
reader[0], reader[1], reader[2]);
}
reader.Close();
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
Console.ReadLine();
}
}