-1

I am looking for all the possible positions in a sql statement that a sql function can be called. It is my first time to use sql functions and in my code I need to detect whether users' input contains sql function, if so, the input is not valid.

The position in sql statement means SELECT clause or other clause like FROM, WHERE......

I am using SQL Server

So is there any suggestions for detect sql functions in a sql statement or all the possible positions for the function in a statement?

4

2 回答 2

1

SQL functions are allowed in any place in a SELECT where a column is allowed, i.e. anywhere in the SELECT list, in WHERE, JOIN, GROUP BY, HAVING, ORDER BY.

You'll need a SQL parser to know for sure if it's a function...

于 2013-09-18T19:14:17.057 回答
1

如果我理解您的问题,您是在询问如何以及在何处检查用户输入的 SQL 代码。

哪里:
我认为您可能需要在用户界面中检查它,检查文本框或文件或用户的输入流是什么。这不应在 sql server ASAIK 中完成

How:
通常你可以在你的 SQL 语句中使用参数,这样用户传递的任何值都由参数传递,如果它包含 SQL 代码,则不会执行。

于 2013-09-18T18:35:08.893 回答