C# 避免SQL注入攻擊
SQL語法參數輸入資料
SQL injection
// pre-data 前置資料
ArrayList TestExternalData = new ArrayList
{
"01", "02", "03", "04", "05"
};
string fieldB = "bb";
string fieldC = "cc";
// define variables 定義變數
ArrayList inputData = new ArrayList(); // Input data 輸入資料
int sqlInCount = 0; // Count 參數數量
string sqlDynParam = ""; // EX:"@1 ,@2 ,@3 ,@4"
// assign value 賦予值
for (int i = 0; i < 5; i++)
{
inputData.Add(TestExternalData[i]);
sqlDynParam += (sqlDynParam == "") ? "@" + (++sqlInCount).ToString() : " ,@" + (++sqlInCount).ToString();
}
inputData.Add(fieldB);
inputData.Add(fieldC);
// SQL syntax Sql語法
string sql = "" +
" select d1 ,d2 " +
" from dataFormA " +
" where 1 = 1 " +
" and fieldA in ( " + sqlDynParam + " ) " +
" and fieldB = @" + (++sqlInCount).ToString() + " " +
" and fieldC = @" + (++sqlInCount).ToString() + " " +
"";
// Database Connectivity 資料庫連線
DB.GetDataTable(sql, inputData);
我只是一棵樹