问题描述
我之前的查询是 name=N'hook' 然后改为 name=@name 这些更改是为了避免 sql 注入,我认为新代码中缺少单引号和前缀 N,但是我不确定。
//OLD CODE with prefix N,the param is wrapped in single quotes
var schemaName = "";
...
var command = new sqlCommand("SELECT schema_id FROM sys.schemas WHERE name = N'" + schemaName + "')";
//OLD CODE without prefix N,the param is wrapped in single quotes
var schemaName = "";
...
var command = new sqlCommand("SELECT schema_id FROM sys.schemas WHERE name = '" + schemaName + "')";
//NEW CODE
var schemaName = "";
...
var command = new sqlCommand("SELECT schema_id FROM sys.schemas WHERE name = @schemaName");
command.Parameters.Add(new sqlParameter("@schemaName",schemaName));
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)