开发者

SQLite injection with list of strings

问答 作者:

Could anyo开发者_开发问答ne tell me a way to prevent sql injection when building queries for SQLite where the WHERE clause has an "myval IN (string_1, ... , string_n)" condition ?

I though about dynamically building the command text with annotations and adding the parameters for those annotations from the string list. Is there an easier way ?

Thanks.

No, there's no easier way. Don't make a list of dangerous characters. Just use command with parameters.

using (var conn = new SQLiteconnection(connectionString))
using (var command = conn.CreateCommand())
{
    conn.Open();
    command.CommandText = "select name from persons where id = @id";
    command.Parameters.AddWithValue("@id", 5);
    using (var reader = command.ExecuteReader())
    {
        while (reader.Read())
        {

        }
    }
}

继续阅读:annotationscode-injection

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9