我有一个包含SQL查询的程序,昨天有人向我指出它对SQL注入攻击很开放。做了一些研究后,我可以看到要解决这个问题,我需要使用参数代替。 我有以下代码......如何进行参数化?
Public Shared Function SaveNewPerson(ByVal firstName As String, lastName As String, ByVal age As Integer, ByVal postcode As String, m_cn As OleDbConnection)
Dim tr As OleDbTransaction = Nothing
Try
tr = m_cn.BeginTransaction()
Dim Dc As New OleDbCommand
Dc.Connection = m_cn
Dc.CommandText = "INSERT INTO tblPerson([firstName], [lastName], [age], [postcode]) VALUES('" & firstName & "', '" & lastName & "', '" & age & "', '" & postcode & "')"
Dc.Transaction = tr
Dc.ExecuteNonQuery()
Dim personID As Integer
Dc.CommandText = "SELECT SCOPE_IDENTITY() AS personID"
Dc.CommandType = CommandType.Text
personID = CType(Dc.ExecuteScalar(), Integer)
tr.Commit()
Catch ex As Exception
tr.Rollback()
Throw
End Try
End Function
答案 0 :(得分:0)
我首先要创建一个存储过程,然后插入到sql server中,然后使用
dc.commandText = "Your stored procedure name"
dc.commandType = CommandType.StoredProcedure
Dim myParam as oledb.OleDbParameter = dc.parameters.add("@personID", oledbtype.int)
myParam.Direction = ParameterDirection.ReturnValue
dc.Parameters.Add("@firstName", OleDbType.VarChar).Value = [firstname]
....
....
Dim returnId as Integer = Cint(dc.Parameters("@personID").Value)
答案 1 :(得分:-1)
Dc.CommandText = "INSERT INTO tblPerson([firstName], [lastName], [age], [postcode]) VALUES('" & firstName & "', '" & lastName & "', '" & age & "', '" & postcode & "')"
将此更改为
Dc.CommandText = "INSERT INTO tblPerson([firstName], [lastName], [age], [postcode]) VALUES(?, ?, ?, ?)"
Dc.Parameters.Add("@first", OleDbType.VarChar, firstName)
Dc.Parameters.Add("@last", OleDbType.VarChar, lastName)
Dc.Parameters.Add("@age", OleDbType.Integer, age)
Dc.Parameters.Add("@postcode", OleDbType.VarChar, postcode )
(检查传递的OldDbType值是否正确。)
NB。参数集合中的顺序确定哪个参数与哪个?占位符匹配。给出参数的名称(似乎)被忽略了。