JFreeChart与SWT(JFreeChart with SWT)
我正在开发一个eclipse的插件并扩展org.eclipse.ui.views扩展点。 我想使用JFreeChart在eclipse视图中绘制一些图形。 在eclipse视图中可以使用带SWT的JFreeChart吗?
I'm developping a plugin for eclipse and extending the org.eclipse.ui.views extension point. I want to use JFreeChart for drawing some graphics in eclipse view. Is it possible to use JFreeChart with SWT in eclipse view ?
原文:https://stackoverflow.com/questions/1499278
最满意答案
我确信这将是关于C#中参数化查询的一些规范问题的重复,但显然没有一个(见此)!
您应该参数化您的查询 - 如果不这样做,您将面临将恶意代码注入查询的风险。 例如,如果您当前的代码可以针对数据库运行,那么使代码执行如下操作将是微不足道的:
// string id = "1 OR 1=1" "SELECT * Products WHERE Idx_ProductId = 1 OR 1=1" // will return all product rows // string id = "NULL; SELECT * FROM UserPasswords" - return contents of another table // string id = "NULL; DROP TABLE Products" - uh oh // etc....
ADO.NET提供了非常简单的功能来参数化您的查询,而您的
DBOps
类最有可能没有使用它(您传入的是构建的命令字符串)。 相反,你应该做这样的事情:public DataTable ViewProduct(string id) { try { string connStr = ConfigurationManager.ConnectionStrings["MyDatabase"].ConnectionString; using (SqlConnection conn = new SqlConnection(connStr)) { conn.Open(); using (SqlCommand cmd = conn.CreateCommand()) { // @id is very important here! // this should really be refactored - SELECT * is a bad idea // someone might add or remove a column you expect, or change the order of columns at some point cmd.CommandText = "SELECT * Products WHERE Idx_ProductId = @id"; // this will properly escape/prevent malicious versions of id // use the correct type - if it's int, SqlDbType.Int, etc. cmd.Parameters.Add("@id", SqlDbType.Varchar).Value = id; using (SqlDataReader reader = cmd.ExecuteReader()) { DataTable vpTbl = new DataTable(); vpTbl.Load(reader); return vpTbl; } } } } catch (Exception e) { // do some meaningful logging, possibly "throw;" exception - don't just return null! // callers won't know why null got returned - because there are no rows? because the connection couldn't be made to the database? because of something else? } }
现在,如果有人试图传递“NULL; SELECT * FROM SensitiveData”,它将被正确地参数化。 ADO.NET/Sql Server将其转换为:
DECLARE @id VARCHAR(100) = 'NULL; SELECT * FROM SensitiveData'; SELECT * FROM PRoducts WHERE Idx_ProductId = @id;
这将不会返回任何结果(除非您有一个
Idx_ProductId
实际上是该字符串)而不是返回第二个SELECT
的结果。一些额外的阅读:
I was so sure this would be a duplicate of some canonical question about parameterized queries in C#, but apparently there isn't one (see this)!
You should parameterize your query - if you don't, you run the risk of a malicious piece of code injecting itself into your query. For example, if your current code could run against the database, it would be trivial to make that code do something like this:
// string id = "1 OR 1=1" "SELECT * Products WHERE Idx_ProductId = 1 OR 1=1" // will return all product rows // string id = "NULL; SELECT * FROM UserPasswords" - return contents of another table // string id = "NULL; DROP TABLE Products" - uh oh // etc....
ADO.NET provides very simple functionality to parameterize your queries, and your
DBOps
class most assuredly is not using it (you're passing in a built up command string). Instead you should do something like this:public DataTable ViewProduct(string id) { try { string connStr = ConfigurationManager.ConnectionStrings["MyDatabase"].ConnectionString; using (SqlConnection conn = new SqlConnection(connStr)) { conn.Open(); using (SqlCommand cmd = conn.CreateCommand()) { // @id is very important here! // this should really be refactored - SELECT * is a bad idea // someone might add or remove a column you expect, or change the order of columns at some point cmd.CommandText = "SELECT * Products WHERE Idx_ProductId = @id"; // this will properly escape/prevent malicious versions of id // use the correct type - if it's int, SqlDbType.Int, etc. cmd.Parameters.Add("@id", SqlDbType.Varchar).Value = id; using (SqlDataReader reader = cmd.ExecuteReader()) { DataTable vpTbl = new DataTable(); vpTbl.Load(reader); return vpTbl; } } } } catch (Exception e) { // do some meaningful logging, possibly "throw;" exception - don't just return null! // callers won't know why null got returned - because there are no rows? because the connection couldn't be made to the database? because of something else? } }
Now, if someone tries to pass "NULL; SELECT * FROM SensitiveData", it will be properly parameterized. ADO.NET/Sql Server will convert this to:
DECLARE @id VARCHAR(100) = 'NULL; SELECT * FROM SensitiveData'; SELECT * FROM PRoducts WHERE Idx_ProductId = @id;
which will return no results (unless you have a
Idx_ProductId
that actually is that string) instead of returning the results of the secondSELECT
.Some additional reading:
- https://security.stackexchange.com/questions/25684/how-can-i-explain-sql-injection-without-technical-jargon
- Difference between Parameters.Add and Parameters.AddWithValue
- SQL injection on INSERT
- Avoiding SQL injection without parameters
- How do I create a parameterized SQL query? Why Should I? (VB.NET)
- How can I prevent SQL injection in PHP? (PHP specific, but many helpful points)
- Is there a canonical question telling people why they should use SQL parameters?
相关问答
更多-
TCP/IP模型是一个________。[2023-10-02]
a -
ASP.NET,C#如何将StringQuery传递给自定义SQL命令(ASP.NET, C# How to Pass a StringQuery to a custom SQL Command)[2023-03-27]
我确信这将是关于C#中参数化查询的一些规范问题的重复,但显然没有一个(见此)! 您应该参数化您的查询 - 如果不这样做,您将面临将恶意代码注入查询的风险。 例如,如果您当前的代码可以针对数据库运行,那么使代码执行如下操作将是微不足道的: // string id = "1 OR 1=1" "SELECT * Products WHERE Idx_ProductId = 1 OR 1=1" // will return all product rows // string id = "NULL; SELECT ... -
下列中不属于面向对象的编程语言的是?[2022-05-30]
a -
很可能默认的MVC Model Binder将成功提取Route值,因此您可以将POModel参数添加到您的操作方法签名中。 public ActionResult editPOList(POModel model) { //... } Most probably the default MVC Model Binder will successfully extract the Route values so you can add POModel ...
-
如何将方法名称传递给asp.net中的自定义服务器控件?(How to pass method name to custom server control in asp.net?)[2023-08-16]
如果您希望能够在ASPX标记中传递方法,则需要在事件的代码中使用Browsable属性。 VB.NETPublic Event InitializeStuffCallback C# [Browsable(true)] public event EventHandler InitializeStuffCallback; 参考: 组件和BrowsableAttribute类的 设计时属性 所有事件,属性或其他任何需要在控件的代码隐藏中使用browsable属性来实现它, ... -
看起来你已经声明连接但没有将它分配给SqlCommand using (SqlCommand cmd = new SqlCommand ("Select * from users where user_email= @email and user_password = @password",connection)) { cmd.Parameters.AddWithValue("@email", Email.Text); cmd.Param ...
-
我在类似的问题上挣扎,并在这里找到了我的方式。 这里的答案对我不起作用,但这是我做的解决它的方法。 我不得不将文件添加到GAC。 gacutil.exe /i MyFile.dll 然后你可以得到版本和 gacutil /l MyFile 全局程序集缓存包含以下程序集: MyFile,Version = 6.8.0.6,Culture = neutral,PublicKeyToken = 99ttt95b5a5 d634b,processorArchitecture = MSIL 然后,您将这些值复制到 ...
-
SQL异常错误C#ASP.Net(SQL Exception Error C# ASP.Net)[2022-07-05]
您可以将False更改为0或“False” 例 You can change the False for 0 or for 'False' Example -
这可能不会如你所期望的那样工作。 相反,请添加如下所示的占位符:
-
尝试: e.Values["Picture"] = pu.FileName; 这里有一个例子。 据此,以上应该是你所需要的。 Try: e.Values["Picture"] = pu.FileName; There's an example here. According to that, the above should be all you need.