PostgreSQL 上的 OdbcCommand.Parameters 中的 SQL 注入?
假设您在 C#/.NET 中有此代码(通过 ODBC 使用 PostgreSQL):
using System.Data.Odbc;
...
OdbcCommand cmd = ...;
cmd.CommandText = "SELECT id, email, password FROM users WHERE email=?;";
cmd.Parameters.Clear();
cmd.Parameters.Add("email", OdbcType.VarChar).Value = aEmail;
但是当 aEmail == \' (反斜杠和 apos.) 时,它会给出以下错误:
Exception type: OdbcException
Exception message: ERROR [42601] ERROR: unterminated quoted string at or near "'\''';";
Error while executing the query
正如我所读到的,使用 OdbcCommand.Parameters 应该保护反对 SQL 注入,但在这种情况下,它看起来好像有些东西不能正常工作,我错过了什么?
重要提示:我以前从未使用过 PostgreSQL、ODBC、.NET(今天开始,但我希望今天也结束;),但我需要在一个简单的 Web 应用程序中修复 4 个 SQL 查询 - 以前有:
System.Format("SELECT ... email = {0}", aEmail)
Assume that you have this code in C#/.NET (using PostgreSQL via ODBC):
using System.Data.Odbc;
...
OdbcCommand cmd = ...;
cmd.CommandText = "SELECT id, email, password FROM users WHERE email=?;";
cmd.Parameters.Clear();
cmd.Parameters.Add("email", OdbcType.VarChar).Value = aEmail;
But when aEmail == \' (backslash and apos.) then it gives me following error:
Exception type: OdbcException
Exception message: ERROR [42601] ERROR: unterminated quoted string at or near "'\''';";
Error while executing the query
As I've read, using OdbcCommand.Parameters should protect against SQL injection, but in this case it looks like something doesn't works right, what am I missing?
Important note: I've never used PostgreSQL, ODBC, .NET before (started today, but I hope to end it today too ;), but I need to fix 4 SQL queries in one simple web application - previously there was:
System.Format("SELECT ... email = {0}", aEmail)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
你想逃避单引号吗?问题是,要转义 PostgreSQL 中的单引号,您应该使用另一个单引号而不是反斜杠转义它:
但是 ODBC 驱动程序应该为您自动仅传递单引号...尝试使用最新版本进行更新ODBC 驱动程序,如果问题仍然存在,也许最好向 postgreSQL bug 邮件列表提出问题。
Are you trying to escape the single quote? the problem is that to escape the single quote in PostgreSQL you should escape it with another single quote and not with backslash :
However the ODBC driver should do this for you automatically passing only the single quote... Try to update with the latest version of the ODBC driver, if the problem persist maybe it is better to open an issue to the postgreSQL bug mailing list .