0

由于遗留数据库访问层,我不得不为存储过程的参数动态创建 Sql 语句。

var p1 = Encoding.ASCII.GetString(p1).Replace("'", "''").Replace("\n", " ");
var p2 = Encoding.ASCII.GetString(p2).Replace("'", "''").Replace("\n", " ");
.....
var sql = string.Format("exec storedprocedure @p1='{0}', @p2='{1}', @p3='{2}', ....", 
    p1, p2, p3, ...);

现在,在将字符串转换为 ascii 字符串后,我将替换'''和替换为一个空白空间。\n'我还需要做什么?由于某些事实,我无法使用SqlParamter并且不得不连接字符串。

4

1 回答 1

2

Dont.

Use typed parameters on all of your queries that have dynamic inputs. All of the flavors of ADO have typed parameters, as well as ADO.NET providers for every database under the sun. If you try to roll your own SQL injection prevention, you're gonna have a bad time.

于 2013-03-28T04:17:14.453 回答