parameterized queries against SQL injection

In the computer room charge system, used to pass the form of parameters passed to the SQL statement or stored procedures, because it can be parameterized query to help protect against "SQL injection" attacks, such an attacker will insert commands into the SQL statement, so that the security of the crisis server.

<span style= "FONT-FAMILY:SIMSUN;FONT-SIZE:18PX;" ><span style= "FONT-FAMILY:SIMSUN;FONT-SIZE:18PX;" >sqlparameter Param = new SqlParameter ("@CourseID", 4);</span></span>

This can be to a certain extent against SQL injection, but do not be very good, careful, you will find SqlParameter this class has 7 constructors, each constructor parameters are different. Since we are assigning parameters to SQL statements, we can also match the data type and size of the database store in order to achieve the highest degree of matching, which can also improve query execution performance because they help the database server accurately match incoming commands to the appropriate cache plan.

<span style= "FONT-FAMILY:SIMSUN;FONT-SIZE:18PX;" ><span style= "FONT-FAMILY:SIMSUN;FONT-SIZE:18PX;" > SqlParameter Params = new SqlParameter ("@CourseID", SqlDbType.VarChar, "CourseID");</span></span>

Note: The above takes the form of the SqlParameter constructor, the first parameter is the injected parameter, the second is the type, the third parameter is the size, and the fourth parameter is the name of the corresponding column in the database.

Improved

use ParameterDirection (Specify a query within the DataSet the type of the parameter. ) enumeration type to improve the above.

Where ParameterDirection has four members: input parameter, output parameter, inoutput (input and output parameter), ReturnValue (return value of the operation)

Passing parameter Procedures

<span style= "FONT-FAMILY:SIMSUN;FONT-SIZE:18PX;" >sqlparameter[] Params = new sqlparameter[2];                        Database DB = new Database ();            String strSQL = "DELETE from USERANSWERMR WHERE userid= @UserID and [email protected]";            Params[0] = DB. Makeinparam ("@UserID", SqlDbType.VarChar, UserID);               User ID                      params[1] = DB. Makeinparam ("@PaperID", SqlDbType.Int, 4, paperid);  </span>

introduction of ParameterDirection

<span style= "FONT-FAMILY:SIMSUN;FONT-SIZE:18PX;" >//Public method, instantiating a parameter for calling a stored procedure//Input://paramname-parameter name//dbtype-parameter type//Size -Parameter size//direction-Transfer Direction//value-value public SqlParameter makeparam (string paramname, SqlDbType DbType          , Int32 Size, ParameterDirection Direction, Object Value) {SqlParameter Param;          if (Size > 0) Param = new SqlParameter (paramname, DbType, Size);          else Param = new SqlParameter (paramname, DbType);          Param.direction = Direction;          if (value = null) Param.value = value;        return Param; }//the public method, instantiate an input parameter for invoking the stored procedure//Input://paramname-parameter name//dbtype-parameter type//size-parameter size//value-value public SQLP Arameter Makeinparam (String paramname, SqlDbType DbType, int Size, object Value) {return Makeparam (Param        Name, DbType, Size, ParameterDirection.Input, Value); }</span> 

Summary

By introducing ParameterDirection, the efficiency of the query is improved, on the other hand it increases the reliability of the transmission.



parameterized queries against SQL injection