Prevent SQL queries built from strings

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: csharp-security/sql-injection

Language: C#

Severity: Error

Category: Security

CWE: 89

Description

Never build SQL queries manually. Always have the query built with parameters and then pass the parameters to the prepared statement.

Learn More

Non-Compliant Code Examples

using System.Xml;

class MyClass {
    public static void doQuery(Int32 userId)
    {
        using (SqlConnection connection = new SqlConnection(connectionString))
        {
            SqlCommand command = new SqlCommand("SELECT attr FROM table WHERE id=" + userID, connection);
        }
    }
}

using System.Xml;

class MyClass {
    public static void goQuery(Int32 userID)
    {
        String query1 = "SELECT attr FROM table WHERE id=" + userID;
    }
}

Compliant Code Examples

using System.Xml;

class MyClass {
    public static void doQuery(Int32 userID)
    {
        using (SqlConnection connection = new SqlConnection(connectionString))
        {
            SqlCommand command = new SqlCommand("SELECT attr FROM table WHERE id=@ID", connection);
            command.Parameters.Add("@ID", SqlDbType.Int);
            command.Parameters["@ID"].Value = userID;
        }
    }
}
PREVIEWING: aliciascott/DOCS-9725-Cloudcraft