We currently receive parameters of values as VARCHAR
's, and then build a date from them. I am wanting to confirm that the method below would stop the possibility of SQL injec开发者_如何转开发tion from this statement:
select CONVERT(datetime, '2010' + '-' + '02' + '-' + '21' + ' ' + '15:11:38.990')
Another note is that the actual parameters being passed through to the stored proc are length bound at (4, 2, 2, 10, 12) VARCHAR
's in correspondence to the above.
if you put use the statement like this, within a stored procedure:
select CONVERT(datetime, @Year + '-' + @Month + '-' + @Day+ ' ' + @Time)
then you should be fine, since the target datatype datetime
will only receive valid date strings.
if you use it like this in your stored procedure:
EXEC ('select CONVERT(datetime, @Year+''-''+@Month+''-''+@Day+'' ''+ @Time)')
you could have an issue, unlikely, since the input strings are limited to a short length, but who knows what some hacker will think up to fit in that tiny space.
if that statement is a stored procedure, you won't suffer from sql injection anyway
if that statement is generated in a language - php for example - then just make sure you escape the strings on the way in (replace ' with \' for mysql or '' for mssql) to avoid injection attacks.
精彩评论