- 使用参数化查询
- 原理:参数化查询将SQL语句与参数分离,数据库引擎会分别处理它们,从而防止恶意用户通过输入特殊字符篡改SQL逻辑。
- 代码示例:
using System;
using System.Data.SqlClient;
class Program
{
static void Main()
{
string username = Console.ReadLine();
string connectionString = "your_connection_string";
using (SqlConnection connection = new SqlConnection(connectionString))
{
string query = "SELECT * FROM Users WHERE UserName = @UserName";
using (SqlCommand command = new SqlCommand(query, connection))
{
command.Parameters.AddWithValue("@UserName", username);
try
{
connection.Open();
SqlDataReader reader = command.ExecuteReader();
while (reader.Read())
{
Console.WriteLine(reader["UserID"]);
}
}
catch (SqlException ex)
{
Console.WriteLine("SQL error: " + ex.Message);
}
}
}
}
}
- 使用存储过程
- 原理:存储过程在数据库中预编译并存储,传入的参数会被正确处理,降低了SQL注入风险。
- 代码示例:
- 首先在SQL Server中创建存储过程:
CREATE PROCEDURE GetUserByUsername
@UserName NVARCHAR(50)
AS
BEGIN
SELECT * FROM Users WHERE UserName = @UserName;
END
using System;
using System.Data.SqlClient;
class Program
{
static void Main()
{
string username = Console.ReadLine();
string connectionString = "your_connection_string";
using (SqlConnection connection = new SqlConnection(connectionString))
{
using (SqlCommand command = new SqlCommand("GetUserByUsername", connection))
{
command.CommandType = System.Data.CommandType.StoredProcedure;
command.Parameters.AddWithValue("@UserName", username);
try
{
connection.Open();
SqlDataReader reader = command.ExecuteReader();
while (reader.Read())
{
Console.WriteLine(reader["UserID"]);
}
}
catch (SqlException ex)
{
Console.WriteLine("SQL error: " + ex.Message);
}
}
}
}
}
