Parameter passing through URL addresses (preventing hacker attacks)

In java, there is a PreparedStatment thing. I don't know if it is in. net. It is more physical and physical. If. net has something similar, it can be used.

In addition, there is another way to filter and select SQL keywords in input parameters, but this method is not very advanced. In this way, if these keywords exist in normal services, they will not work.

SQL injection is to assemble SQL statements with ulterior motives. For example:

Insert into table (id, content) values (SELECT 1 from user where rownum <2), xxxx)

Select * from table where id = 1 OR 1 = 1

Select * from table where name = xx or 1 = 1

In the above case, we only need to ensure two things to prevent SQL injection:

1. for numbers, it must be a number instead of "1 or 1 = 1"
2. for strings, you only need to escape single quotes and convert them to select * from table whee name = xx or 1 = 1. (I don't know if some databases need to filter double quotation marks ).

Since it is not very efficient to judge whether a parameter contains only numbers, you can write where id = 1. In this way, you only need to escape single quotes for all parameters.

Enclose all parameters in quotation marks, regardless of numbers and strings. There is no problem. Rather, it is a good habit. Some databases may design the ID type as a string. If this design is used, the index of the id field cannot be used in the format of id = 1.

The above is my experience. I am not familiar with other databases. It is estimated that the database is a special Oracle database.