如何解决C# Linq to SQL 包含安全的 sql 注入
通常我知道 Linq to SQL 对于 SQL 注入是安全的,因为它使用 be8ec4e48d7f: Already exists
33b8b485aff0: Already exists
d887158cc58c: Already exists
05895bb28c18: Already exists
3717254b824f: Already exists
5d1752e32f1f: Already exists
98554cf2e2ec: Already exists
3a83ccd2f4ee: Already exists
c793dcd65f37: Already exists
c4412ad3121f: Already exists
eba3bc56bff9: Already exists
2b1b6e815dce: Already exists
dda735bf3557: Already exists
dbece9223ffc: Already exists
49533680b25f: Already exists
8d332721c923: Already exists
d40c3e8ecbdb: Already exists
75f43ec617dd: Already exists
225f75c25e6b: Already exists
81811c4b9e22: Already exists
409197acab0f: Already exists
9b5199518afc: Already exists
b7040ab58553: Already exists
b6e55490ca80: Already exists
e04c7210075d: Already exists
68db66ab7dda: Already exists
bbe68713195e: Already exists
1d7c9599b03c: Already exists
c7472ba4bdbd: Already exists
3c4082628c2e: Already exists
50f7a489c209: Already exists
aaf98f685aa2: Already exists
8cf31fcd419c: Already exists
a80092fe6016: Already exists
9d90bdef5603: Already exists
9d13d2b62b19: Already exists
cab2bcedcfdf: Already exists
41670cbb355b: Already exists
4036f94db6f4: Retrying in 19 seconds
42f95b51f0f7: Download complete
91f3ac158888: Download complete
df09d420f619: Download complete
7ca46f747969: Download complete
34e5e5eb8b2f: Download complete
ce8b1ad11171: Download complete
4b124d6694bd: Download complete
a71b50d0f70c: Download complete
237b8823183b: Download complete
4036f94db6f4: Downloading 12.41MB/12.41MB
64858da6aaea: Download complete
3e88dcb59e3e: Download complete
aa92021cb41d: Download complete
0569c05fcc65: Download complete
63ee9c05e34b: Download complete
48ac0999fcdb: Download complete
e10d1975849c: Download complete
611db2146c6f: Download complete
7ad4e600c6c6: Download complete
4261ad6f88e3: Download complete
c20e2f82fd11: Download complete
49f62c0b1913: Download complete
cb37060da14d: Download complete
f19eda2c4fb2: Download complete
e600fca97576: Download complete
508947b05054: Download complete
652c4860c2f3: Download complete
358d27eb7aaa: Download complete
27cfd1cb1501: Download complete
673d626b28c0: Download complete
20d0b16ebf52: Download complete
0cfff8a600f6: Download complete
00065e08cdfc: Download complete
bd51e67b9159: Download complete
7e8e6548bdec: Download complete
1dea31859db5: Download complete
f058efbc49a4: Download complete
3e10bb0abdd8: Download complete
617d42f04950: Download complete
798390048c18: Download complete
2b389764a032: Download complete
002f5c6ccc90: Download complete
unexpected EOF
(如 here 和 here 所述)。
但是 SqlParameter
的情况如何:
contains
如果我直接在 SQL Server 中记录查询,我可以看到使用了以下查询:
StreetRepository.Streets.Where(w => w.Streetname.Contains("Road"))
正如我们所见,该查询没有使用参数。如果我使用以下命令:
SELECT [Extent1].[Id] AS [Id],[Extent1].[Streetname] AS [Streetname]
FROM [dbo].[Streets] AS [Extent1]
WHERE [Extent1].[Streetname] LIKE N'%Road%'
我明白了:
StreetRepository.Streets.Where(w => w.Streetname.Contains("Road' OR 1=1"))
在这种情况下,它由双 SELECT [Extent1].[Id] AS [Id],[Extent1].[Streetname] AS [Streetname]
FROM [dbo].[Streets] AS [Extent1]
WHERE [Extent1].[Streetname] LIKE N'%Road'' OR 1=1%'
转义。
但这对所有攻击都足够安全吗?我可以放心使用 contains 吗?如果不是,我可以用什么代替 ''
?
解决方法
参数不仅仅是防止 SQL 注入的方法。 LINQ to SQL 知道如何正确转义字符串。所以别担心,一切都会好的。
无论如何,如果您更喜欢参数,只需将字符串值放入局部变量即可:
var streetName = "Road";
StreetRepository.Streets.Where(w => w.Streetname.Contains(streetName));
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。