如何参数化这个VB查询

时间:2017-09-06 10:40:45

标签: c# sql vb.net sql-injection

我们希望对您提出这些建议

Public Function MyMethod (ByVal CustomDataTable As DataTable ) As String

    columnQueryBuilder As new Stringbuilber
    totalQueryBuilder As new Stringbuilber
    Paramertrs as List (MyDBParameters)
    Parameters.Add(MyDBObject.CreateParamter("MyColumn1"),"SomeString" )

    For Each EachRow As DataRow In CustomDataTable.DefaultView.ToTable.Rows
        If columnQueryBuilder .Length > 0 Then
            sb.Append(", ")
        End If
        columnQueryBuilder .Append("'")
        columnQueryBuilder .Append(EachRow ("MyColumn").ToString)
        columnQueryBuilder .Append("'")
    Next

    totalQueryBuilder  = ("Select MyColumn3 from Mytable where MyColumn1=@MyColumn1 AND  MyColumn2 in ({0}) " , columnQueryBuilder.ToString )

    OutputString = MyDbHelper.ExecuteQuery(totalQueryBuilder.ToString ,Parameters.ToArray()  )
    Return outputString
End Function

正如您所看到的,获取一列输入数据表,从该列获取所有值并在其中创建查询 columnbuilderQuery = 'MyColumnValue1','MyColumnValue2' 然后我把它放在查询中

如何删除此字符串构建器逻辑并将其置于参数化方式,以便删除sql注入的漏洞?

0 个答案:

没有答案