用@参数 例:select * from XXX where name=@Name ... cmd.Parameters.AddWithValue("@Name",值); ...
原意: "select * from XXX where name = 'tom'"拼接: string name = "tom"; "select * from XXX where id = '" + name + "'";注入: string name = "tom' delete from XXX --"; "select * from XXX where id = '" + name + "'"; "select * from XXX where name = 'tom' delete from XXX --'"参数: 见沙发 将整个"tom' delete from XXX --"作为参数值 而不是sql语句的一部分
例:select * from XXX where name=@Name
...
cmd.Parameters.AddWithValue("@Name",值);
...
"select * from XXX where id = '" + name + "'";注入: string name = "tom' delete from XXX --";
"select * from XXX where id = '" + name + "'";
"select * from XXX where name = 'tom' delete from XXX --'"参数: 见沙发 将整个"tom' delete from XXX --"作为参数值 而不是sql语句的一部分