开发者

SQLite injection with list of strings

开发者 https://www.devze.com 2022-12-17 14:09 出处：网络

Could anyo开发者_开发问答ne tell me a way to prevent sql injection when building queries for SQLite where the WHERE clause has an \"myval IN (string_1, ... , string_n)\" condition ?

相关专题：annotations code-injection

Could anyo开发者_开发问答ne tell me a way to prevent sql injection when building queries for SQLite where the WHERE clause has an "myval IN (string_1, ... , string_n)" condition ?

I though about dynamically building the command text with annotations and adding the parameters for those annotations from the string list. Is there an easier way ?

Thanks.

No, there's no easier way. Don't make a list of dangerous characters. Just use command with parameters.

using (var conn = new SQLiteconnection(connectionString))
using (var command = conn.CreateCommand())
{
    conn.Open();
    command.CommandText = "select name from persons where id = @id";
    command.Parameters.AddWithValue("@id", 5);
    using (var reader = command.ExecuteReader())
    {
        while (reader.Read())
        {

        }
    }
}