我正在分析我的代码,并遇到了此安全问题:
CA2100 Review SQL queries for security vulnerabilities The query string passed to ‘SqlDataAdapter.SqlDataAdapter(string, SqlConnection)’ in ‘Add_item.loadgrid()’ could contain the following variables ‘Login.dbName’. If any of these variables could come from user input, consider using a stored procedure or a parameterized SQL query instead of building the query with string concatenations. Login Add_item.cs 64
这是突出显示的代码:
SqlDataAdapter da = new SqlDataAdapter("SELECT Newjob FROM [" + Login.dbName + "].newjob", connection. conn );
解决方法:
这就是通常所说的SQL注入漏洞.您应该使用sqlParameter对象,而不是将值连接成字符串并将该字符串传递给SQL Server.