1

有人可以告诉我为什么下面的代码在字符串之前和之后添加了 2 个单引号('' string '')?

    List<string> rolls
    StringBuilder sb = new StringBuilder();

            foreach (var roll in rolls)
                sb.Append("'" + roll + "',");

            string rollList = sb.ToString().TrimEnd(',');

    string sql =
               @"SELECT enrolment_status, roll_number FROM dt_modular_enrolment WHERE id_student = ?
                    AND roll_number in " + "( " + rollList + " )"; 

    creates the below:
    in ( ''ROLL4'',''ROLL6'',''ROLL5'',''ROLL1'',''ROLL2'',''ROLL3'' )

谢谢!

只是为了更新 - 代码没有任何问题(除了 sql 注入的可能性)它是一个 sql profiler bug 添加了额外的引号。

4

4 回答 4

3

从 SQL 注入的角度来看,这实际上是非常危险的。不幸的是,IN查询很难正确参数化,因为 TSQL 缺少“拆分”功能。但是,很多工具可以帮助您解决这个问题。例如,对于大多数 LINQ 提供程序,它只是:

List<string> rolls = ...
int studentId = ...
var query = from row in ctx.ModularEnrolment
            where row.StudentId = studentId
            and rolls.Contains(row.roll_number)
            select new { row.EnrolmentStatus, row.RollNumber };

或使用dapperin @someParameter之类的工具(对不使用括号时进行特殊处理):

List<string> rolls = ...
int studentId = ...
var rows = connection.Query(@"
SELECT enrolment_status, roll_number FROM dt_modular_enrolment
WHERE id_student = @studentId and roll_number in @rolls",
        new { rolls, studentId });
于 2013-07-16T07:17:55.033 回答
2

确保滚动列表中的字符串不包含引号

于 2013-07-16T06:59:31.657 回答
0

不要在那儿弄得一团糟,而是使用 join 方法,该方法用于将列表中的所有值连接到带有分隔符的字符串;

将您的代码重写为(如果您的卷已经包含单引号)

List<string> rolls
string sql =@"SELECT enrolment_status, roll_number FROM 
dt_modular_enrolment WHERE id_student = ? AND 
roll_number in " + "( " + String.Join(",",rolls) + " )";

否则,如果您的卷不包含单引号,请在 sql 语句之前添加以下几行:

for(int i=0;i<rolls.Count;i++)
{
    rolls[i]="'"+ rolls[i]+ "'";
}
于 2013-07-16T07:20:28.117 回答
-1

请使用以下代码检查您的代码...由于您没有提到存储在卷中的内容,我已经重写了您的代码以实现目标结果

List<string> rolls = new List<string>();
rolls.Add("ROLL4");//HERE THERE CAN BE A ISSUE
rolls.Add("ROLL6");
rolls.Add("ROLL5");
rolls.Add("ROLL1");
rolls.Add("ROLL2");
rolls.Add("ROLL3");
        StringBuilder sb = new StringBuilder();

        foreach (var roll in rolls)
            sb.Append("'" + roll + "',");

        string rollList = sb.ToString().TrimEnd(',');

        string sql =
                   @"SELECT enrolment_status, roll_number FROM dt_modular_enrolment WHERE id_student = ?
                AND roll_number in " + "( " + rollList + " )";

编写上述代码后,我得到以下输出 sql = SELECT enrolment_status, roll_number FROM dt_modular_enrolment WHERE id_student = ? AND roll_number in ('ROLL4','ROLL6','ROLL5','ROLL1','ROLL2','ROLL3') & rollList = 'ROLL4','ROLL6','ROLL5','ROLL1','ROLL2' ,'滚动 3'

于 2013-07-16T07:04:36.347 回答