1

好的,我是参数化查询的菜鸟。我理解为什么你应该使用它们,但我找不到任何显示正确方式的资源或至少一个显示实际工作的正确方式的资源。

所以我的问题是关于我的代码是否正确。它编译并运行得很好,但它在 gridview 中绝对没有返回任何内容。

 protected void SearchButton_Click(object sender, EventArgs e)
{
    string searchBoxValue = SearchBox.Text;
    string columnNameValue = ColumnName.SelectedValue;
    columnNameValue.ToLower();

    SqlCommand searchCommand = new SqlCommand();
    searchCommand.Connection = connection;
    searchCommand.CommandText = "select firstname AS FirstName,lastname AS LastName, zipcode as ZipCode, phone AS Phone, email AS Email, cancersurvivor AS CancerSurvivor, ethnicity AS Ethnicity from registrants where @columnname = @searchterm";

    SqlParameter columnParam = new SqlParameter();
    columnParam.ParameterName = "@columnname";
    columnParam.Value = columnNameValue;

    SqlParameter searchBoxParam = new SqlParameter();
    searchBoxParam.ParameterName = "@searchterm";
    searchBoxParam.Value = searchBoxValue;

    searchCommand.Parameters.Add(columnParam);
    searchCommand.Parameters.Add(searchBoxParam);

    UpdateTable(searchCommand);

}

UpdateTable 函数接受一个 SqlCommand 对象,然后使用一个 DataAdapter 对象来执行命令并填充一个 DataTable 对象,然后将 gridview 数据源设置为 datatable 对象并绑定它。

就像我之前说的那样,我真的在寻找正确的方法来做到这一点?我需要一个存储过程才能做到这一点吗?我对这一切以及为什么它不起作用感到困惑。

4

4 回答 4

6

您不能参数化@columnname. 这需要是查询中的文字。

你的陈述

select 
 /* .... */
from registrants where @columnname = @searchterm

registrants如果参数的值恰好相同或没有行,则将返回所有行。

它不会查看您是否有该名称的列并查看其中是否@searchterm存在。

要以安全的方式执行此操作,您需要检查是否columnNameValue与有效列名的白名单之一匹配(因为您必须知道该表中可能的列名)并将其连接到您的查询中。不要连接未经验证的用户输入。然后你就可以接受 SQL 注入了。

所以你可以实现它像

using System.Linq;

protected void SearchButton_Click(object sender, EventArgs e)
{
    string columnNameValue = ColumnName.SelectedValue.ToLower();

    var validColumnNames = new string[] { "firstname", "lastname", "zipcode" };

    if (!validColumnNames.Contains(columnNameValue))
    {
        throw new Exception("Unexpected column name " + columnNameValue);
    }

    /* ... code omitted */

    searchCommand.CommandText = "select firstname AS FirstName,lastname AS LastName, zipcode as ZipCode, phone AS Phone, email AS Email, cancersurvivor AS CancerSurvivor, ethnicity AS Ethnicity from registrants where " + columnNameValue + " = @searchterm";

    /* ... code omitted */
}
于 2012-12-19T20:43:30.823 回答
2

参数化命令的目的是防止 sql 注入。您不能参数化列的名称,sql 会将其作为字符串。

protected void SearchButton_Click(object sender, EventArgs e)
{
    string searchBoxValue = SearchBox.Text;
    string columnNameValue = ColumnName.SelectedValue;
    columnNameValue.ToLower();

    SqlCommand searchCommand = new SqlCommand();
    searchCommand.Connection = connection;
    //Put the column name directly in the request, but use a parameter for the search value
    searchCommand.CommandText = "select firstname AS FirstName,lastname AS LastName, zipcode as ZipCode, phone AS Phone, email AS Email, cancersurvivor AS CancerSurvivor, ethnicity AS Ethnicity from registrants where " + columnNameValue  + " = @searchterm";

    /* No need for this part
    SqlParameter columnParam = new SqlParameter();
    columnParam.ParameterName = "@columnname";
    columnParam.Value = columnNameValue;
    */

    SqlParameter searchBoxParam = new SqlParameter();
    searchBoxParam.ParameterName = "@searchterm";
    searchBoxParam.Value = searchBoxValue;

    //searchCommand.Parameters.Add(columnParam);
    searchCommand.Parameters.Add(searchBoxParam);

    UpdateTable(searchCommand);

}
于 2012-12-19T20:46:00.883 回答
1

您的问题在于您如何尝试将列名作为参数。您需要整体更改查询以反映您要过滤的列。尝试以下操作:

protected void SearchButton_Click(object sender, EventArgs e)
{
    string searchBoxValue = SearchBox.Text;
    string columnNameValue = ColumnName.SelectedValue;
    columnNameValue.ToLower();

    SqlCommand searchCommand = new SqlCommand();
    searchCommand.Connection = connection;
    searchCommand.CommandText = String.Format("select firstname AS FirstName,lastname AS LastName, zipcode as ZipCode, phone AS Phone, email AS Email, cancersurvivor AS CancerSurvivor, ethnicity AS Ethnicity from registrants where {0} = @searchterm",columnNameValue);

    SqlParameter searchBoxParam = new SqlParameter();
    searchBoxParam.ParameterName = "@searchterm";
    searchBoxParam.Value = searchBoxValue;

    searchCommand.Parameters.Add(columnParam);
    searchCommand.Parameters.Add(searchBoxParam);

    UpdateTable(searchCommand);

}
于 2012-12-19T20:45:08.060 回答
1

如果你想让它工作,你必须动态构建 SQL 语句并在 proc 内使用 sp_executesql 执行,如下所示:

DECLARE @IntVariable int;
DECLARE @SQLString nvarchar(500);
DECLARE @ParmDefinition nvarchar(500);

/* Build the SQL string one time.*/
SET @SQLString =
     N'SELECT BusinessEntityID, NationalIDNumber, JobTitle, LoginID
       FROM AdventureWorks2012.HumanResources.Employee 
       WHERE BusinessEntityID = @BusinessEntityID';
SET @ParmDefinition = N'@BusinessEntityID tinyint';
/* Execute the string with the first parameter value. */
SET @IntVariable = 197;
EXECUTE sp_executesql @SQLString, @ParmDefinition,
                      @BusinessEntityID = @IntVariable;
/* Execute the same string with the second parameter value. */
SET @IntVariable = 109;
EXECUTE sp_executesql @SQLString, @ParmDefinition,
                      @BusinessEntityID = @IntVariable;

您仍然有使用参数化查询的好处,并且不会将自己暴露在 SQL 注入中。

来源在这里。另一个非常有用的链接是这个

于 2012-12-19T20:52:44.973 回答