English 中文(简体)
在OdbcCommand进行注射。 PostgreSQL的参数?
原标题:SQL injection in OdbcCommand.Parameters on PostgreSQL?

认为你在C#/中已有这一守则。 NET(通过ODBC使用PogreSQL):

using System.Data.Odbc;
...
OdbcCommand cmd = ...;
cmd.CommandText = "SELECT id, email, password FROM users WHERE email=?;";
cmd.Parameters.Clear();
cmd.Parameters.Add("email", OdbcType.VarChar).Value = aEmail;

但当电子邮件=(回击和apos)时,我会发现以下错误:

Exception type: OdbcException 
Exception message: ERROR [42601] ERROR: unterminated quoted string at or near "    ;";
Error while executing the query

As I ve read, using OdbcCommand.Parameters should protect against SQL injection, but in this case it looks like something doesn t works right, what am I missing?

重要说明:我以前从未使用过PogreSQL、ODBC、NET(今天启动),但我希望今天也停止使用;但我需要在一个简单的网络应用中确定4个问题——以前是:

System.Format("SELECT ... email = {0}", aEmail)
最佳回答

你们是否试图躲避唯一的引语? 问题是,为了躲避PogreSQL中唯一的引语,你应当用另一个引语,而不是用lash击来逃脱:

However the ODBC driver should do this for you automatically passing only the single quote... Try to update with the latest version of the ODBC driver, if the problem persist maybe it is better to open an issue to the postgreSQL bug mailing list .

时间:2011-11-21 11:38:42
问题回答

暂无回答


上一篇:
下一篇:


相关问题
Manually implementing high performance algorithms in .NET

As a learning experience I recently tried implementing Quicksort with 3 way partitioning in C#. Apart from needing to add an extra range check on the left/right variables before the recursive call, ...

时间:2009-11-13 05:18:58 回答:3 展示:1
Anyone feel like passing it forward?

I m the only developer in my company, and am getting along well as an autodidact, but I know I m missing out on the education one gets from working with and having code reviewed by more senior devs. ...

时间:2009-11-13 04:17:47 回答:6 展示:1
How do I compare two decimals to 10 decimal places?

I m using decimal type (.net), and I want to see if two numbers are equal. But I only want to be accurate to 10 decimal places. For example take these three numbers. I want them all to be equal. 0....

时间:2009-11-09 14:49:31 回答:5 展示:1
Exception practices when creating a SynchronizationContext?

I m creating an STA version of the SynchronizationContext for use in Windows Workflow 4.0. I m wondering what to do about exceptions when Post-ing callbacks. The SynchronizationContext can be used ...

时间:2009-11-09 14:49:02 回答:2 展示:1
Show running instance in single instance application

I am building an application with C#. I managed to turn this into a single instance application by checking if the same process is already running. Process[] pname = Process.GetProcessesByName("...

时间:2009-11-05 09:45:17 回答:1 展示:1
How to combine DataTrigger and EventTrigger?

NOTE I have asked the related question (with an accepted answer): How to combine DataTrigger and Trigger? I think I need to combine an EventTrigger and a DataTrigger to achieve what I m after: when ...

时间:2009-11-05 09:35:38 回答:4 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全