0

我正在修复代码中的 SQL 注入。其中一种方法执行存储过程并添加违反 SQL 注入规则的参数:

sqlCmd.CommandText = "updateSalesReps @repNumber='" + RepNumber + "', 
@ISONumber='" + ISONumber + "', @type='" + strUpdtType + "'";

现在,我正在添加参数:

sqlCmd.Parameters.AddWithValue("@rNumber", RepNumber);
sqlCmd.Parameters.AddWithValue("@isoNumber", ISONumber);
sqlCmd.Parameters.AddWithValue("@updateType",strUpdtType);

这是我的最后一个查询:

 sqlCmd.CommandText = "updateSalesReps @repNumber=@repNumber, 
 @ISONumber=@isoNumber, @type=@updateType";

我的问题是...@repNumber=@repNumber...在我的存储过程中是否可以,否则会产生命名歧义?

4

1 回答 1

2

If you specify the commandType and commandText properties on the command object you dont need to do that. Assuming you're using SQL Server stored procs, try:

   SqlCommand sqlCmd = new SqlCommand();
   sqlCmd.CommandTimeout = 15;
   sqlCmd.CommandType = CommandType.StoredProcedure;
   sqlCmd.CommandText = "updateSalesReps"

Then add to your parameters collection using AddWithValue.

Reference: CommandType in MSDN

When you set the CommandType property to StoredProcedure, you should set the CommandText property to the name of the stored procedure. The command executes this stored procedure when you call one of the Execute methods.

于 2015-08-12T20:17:23.560 回答