您的位置: 首页  >  IT文章  >  施用动态sql的方法防止sql注入

施用动态sql的方法防止sql注入

分类: IT文章 2023-10-24 08:11:16
使用动态sql的方法防止sql注入

事例SQL语句如下:

DECLARE @variable NVARCHAR(100)
DECLARE @SQLString NVARCHAR(1024)
DECLARE @ParmDefinition NVARCHAR(500)
SET @SQLString = N'SELECT OEV.Name, OEV.Position, Base_Employee.Address, OEV.Telephone, OEV.MobilePhone, OEV.Email, OEV.RealDepID
                   FROM Base_OrganizeEmployeeView AS OEV
                   JOIN Base_Employee
                   ON Base_Employee.Emp_ID = OEV.Emp_ID
                   WHERE (OEV.Account LIKE ''%'' + @searchFilter + ''%'' OR OEV.Name LIKE ''%'' + @searchFilter + ''%'' OR OEV.Position LIKE ''%'' + @searchFilter + ''%'' ) AND STATE = 1'
SET @parmDefinition = N'@searchFilter varchar(100)'
SET @variable = N'k'
EXECUTE sp_executesql @SQLString, @ParmDefinition, @searchFilter = @variable

相关推荐