Home > Net >  VB.NET can prevent injection when the DEBUG to see the final SQL text
VB.NET can prevent injection when the DEBUG to see the final SQL text

Time:11-15

Ask a question, the following is my write a SQL injection prevention article

Dim updateStatement As String=
"The UPDATE table1 set" & amp;
"Name=? "
"WHERE Name=?"
Using updateCommand As New OleDbCommand (updateStatement, connect)
UpdateCommand. The Parameters. AddWithValue (" @ Name1, "Name1)
UpdateCommand. The Parameters. AddWithValue (" @ Name2 "Name2)
UpdateCommand. ExecuteNonQuery ()
End Using

This code will be a problem, has been carried out to OK
I want to ask, DEBUG, the execution & lt; UpdateCommand. ExecuteNonQuery () & gt; Is replaced before, can you see good content of SQL text
Such as NAME1="aa" NAME2="bb", "
That is when I was in the DEBUG, want to see the SQL is CodePudding user response:

Parameterization is not joining together the SQL, it during code execution, there is no update table1 set name="aa" where name="bb" this statement appeared

CodePudding user response:

reference 1st floor HZTLTGG response:
parameterized not joining together of SQL, the during code execution, there is no update table1 set name="aa" where name="bb" this statement appeared
is a little way to no?

CodePudding user response:

What is you need? Is parameterized code level without joining together, how would it be possible to have your SQL, debugging, have replaced parameters can also be manually debugging

CodePudding user response:

reference 4 floor HZTLTGG response:
what is you need? Is parameterized code level without joining together, how would it be possible to have your SQL, debugging, manual replacement of the parameter is also can debug

Demand is to through the DEBUG of SQL before and after the change, if it is the same, otherwise, will be to change the SQL text after strict test, the workload is too heavy,,,

CodePudding user response:

Then I see the suspension, the splicing and parameterized SQL is two completely different patterns,

CodePudding user response:

refer to 6th floor HZTLTGG response:
that I see the suspension, the splicing and parameterized SQL is two completely different patterns,

Ok, thank you
  • Related