sql - 如何防止 Visual Basic 2012 中以下代码的 SQL 注入(inject)

Question

我对如何防止 SQL 注入(inject)感到困惑，我在网上看过。我是使用存储过程，还是创建变量，我完全迷失了。

 Try
 connection.Open()
 ’we got here so our connection to the db is sound
 chosen = cboBooks.SelectedIndex
 id = customerList(cboCustomers.SelectedIndex)
 isbn = isbnList(cboBooks.SelectedIndex)
 If number <= qty Then
     Dim sql As String
     sql = "INSERT INTO purchase(customer_id, ISBN, store_id, quantity)
                        VALUES(" & id & ", " & isbn & ", 1, " & number & ");"
     Dim cmd As New SqlCommand(sql, connection)
     Dim rows As Integer
     rows = cmd.ExecuteNonQuery()
     If rows >= 1 Then
     ’now update the inventory to reflect a sale
     sql = "UPDATE inventory SET quantity = (quantity -" & number & ")
            WHERE inventory.ISBN = " & isbn & " AND  store_id = 1"
     ’define and execute the query command
      Dim cmd2 As New SqlCommand(sql, connection)
      rows = cmd2.ExecuteNonQuery

Answer 1

每当您连接 sql 并使用用户可以直接访问的变量时，您就会面临 SQL 注入(inject)的危险。

在您的情况下，修复可能看起来像这样:

 sql = "INSERT INTO purchase(customer_id, ISBN, store_id, quantity)
                    VALUES(@id, @isbn , 1, @number);"
Dim cmd As New SqlCommand(sql, connection)
cmd.Parameters.AddWithValue("@id", id )
cmd.Parameters.AddWithValue("@isbn", isbn )
cmd.Parameters.AddWithValue("@number", number)
Dim rows As Integer
rows = cmd.ExecuteNonQuery()

第二个查询看起来像这样:

sql = "UPDATE inventory SET quantity = (quantity - @number)
        WHERE inventory.ISBN = @isbn AND store_id = 1"
Dim cmd2 As New SqlCommand(sql, connection)
cmd2.Parameters.AddWithValue("@number", id )
cmd2.Parameters.AddWithValue("@isbn", isbn )
rows = cmd2.ExecuteNonQuery

通过使用参数，字符串被转义为任何可能是恶意代码。

其他好的引用资料:

What is SQL injection?

How does the SQL injection from the "Bobby Tables" XKCD comic work?

编辑:

正如@AndyLester 在评论中指出的那样，我想建议的是使用用户数据连接到您的可执行代码中是危险的!