JFreeChart与SWT(JFreeChart with SWT)

 我确信这将是关于C＃中参数化查询的一些规范问题的重复，但显然没有一个（见此）！ 
 
 您应该参数化您的查询 - 如果不这样做，您将面临将恶意代码注入查询的风险。 例如，如果您当前的代码可以针对数据库运行，那么使代码执行如下操作将是微不足道的： 
 
// string id = "1 OR 1=1"
"SELECT * Products WHERE Idx_ProductId = 1 OR 1=1" // will return all product rows
// string id = "NULL; SELECT * FROM UserPasswords" - return contents of another table
// string id = "NULL; DROP TABLE Products" - uh oh
// etc....
 
 ADO.NET提供了非常简单的功能来参数化您的查询，而您的DBOps类最有可能没有使用它（您传入的是构建的命令字符串）。 相反，你应该做这样的事情： 
 
public DataTable ViewProduct(string id)
{
    try
    {
        string connStr = ConfigurationManager.ConnectionStrings["MyDatabase"].ConnectionString;
        using (SqlConnection conn = new SqlConnection(connStr))
        {
            conn.Open();
            using (SqlCommand cmd = conn.CreateCommand())
            {
                // @id is very important here!
                // this should really be refactored - SELECT * is a bad idea
                // someone might add or remove a column you expect, or change the order of columns at some point
                cmd.CommandText = "SELECT * Products WHERE Idx_ProductId = @id";
                // this will properly escape/prevent malicious versions of id
                // use the correct type - if it's int, SqlDbType.Int, etc.
                cmd.Parameters.Add("@id", SqlDbType.Varchar).Value = id;
                using (SqlDataReader reader = cmd.ExecuteReader())
                {
                    DataTable vpTbl = new DataTable();
                    vpTbl.Load(reader);
                    return vpTbl;
                }
            }
        }
    }
    catch (Exception e)
    {
        // do some meaningful logging, possibly "throw;" exception - don't just return null!
        // callers won't know why null got returned - because there are no rows? because the connection couldn't be made to the database? because of something else?
    }
}
 
 现在，如果有人试图传递“NULL; SELECT * FROM SensitiveData”，它将被正确地参数化。 ADO.NET/Sql Server将其转换为： 
 
DECLARE @id VARCHAR(100) = 'NULL; SELECT * FROM SensitiveData';
SELECT * FROM PRoducts WHERE Idx_ProductId = @id;
 
 这将不会返回任何结果（除非您有一个Idx_ProductId实际上是该字符串）而不是返回第二个SELECT的结果。 
 
 一些额外的阅读： 
 
 
 
 https://security.stackexchange.com/questions/25684/how-can-i-explain-sql-injection-without-technical-jargon 
 
 
 Parameters.Add和Parameters.AddWithValue之间的区别 
 
 
 INSERT上的SQL注入 
 
 
 避免不带参数的SQL注入 
 
 
 如何创建参数化SQL查询？ 我为什么要？ （VB.NET） 
 
 
 如何在PHP中阻止SQL注入？ （PHP特定，但许多有用的点） 
 
 
 是否存在一个规范性问题，告诉人们为什么要使用SQL参数？ 
 

I was so sure this would be a duplicate of some canonical question about parameterized queries in C#, but apparently there isn't one (see this)!
 
You should parameterize your query - if you don't, you run the risk of a malicious piece of code injecting itself into your query. For example, if your current code could run against the database, it would be trivial to make that code do something like this:
 
// string id = "1 OR 1=1"
"SELECT * Products WHERE Idx_ProductId = 1 OR 1=1" // will return all product rows
// string id = "NULL; SELECT * FROM UserPasswords" - return contents of another table
// string id = "NULL; DROP TABLE Products" - uh oh
// etc....
 
ADO.NET provides very simple functionality to parameterize your queries, and your DBOps class most assuredly is not using it (you're passing in a built up command string). Instead you should do something like this:
 
public DataTable ViewProduct(string id)
{
    try
    {
        string connStr = ConfigurationManager.ConnectionStrings["MyDatabase"].ConnectionString;
        using (SqlConnection conn = new SqlConnection(connStr))
        {
            conn.Open();
            using (SqlCommand cmd = conn.CreateCommand())
            {
                // @id is very important here!
                // this should really be refactored - SELECT * is a bad idea
                // someone might add or remove a column you expect, or change the order of columns at some point
                cmd.CommandText = "SELECT * Products WHERE Idx_ProductId = @id";
                // this will properly escape/prevent malicious versions of id
                // use the correct type - if it's int, SqlDbType.Int, etc.
                cmd.Parameters.Add("@id", SqlDbType.Varchar).Value = id;
                using (SqlDataReader reader = cmd.ExecuteReader())
                {
                    DataTable vpTbl = new DataTable();
                    vpTbl.Load(reader);
                    return vpTbl;
                }
            }
        }
    }
    catch (Exception e)
    {
        // do some meaningful logging, possibly "throw;" exception - don't just return null!
        // callers won't know why null got returned - because there are no rows? because the connection couldn't be made to the database? because of something else?
    }
}
 
Now, if someone tries to pass "NULL; SELECT * FROM SensitiveData", it will be properly parameterized. ADO.NET/Sql Server will convert this to:
 
DECLARE @id VARCHAR(100) = 'NULL; SELECT * FROM SensitiveData';
SELECT * FROM PRoducts WHERE Idx_ProductId = @id;
 
which will return no results (unless you have a Idx_ProductId that actually is that string) instead of returning the results of the second SELECT.
 
Some additional reading:
 
 
 
https://security.stackexchange.com/questions/25684/how-can-i-explain-sql-injection-without-technical-jargon
 
 
Difference between Parameters.Add and Parameters.AddWithValue
 
 
SQL injection on INSERT
 
 
Avoiding SQL injection without parameters
 
 
How do I create a parameterized SQL query? Why Should I? (VB.NET)
 
 
How can I prevent SQL injection in PHP? (PHP specific, but many helpful points)
 
 
Is there a canonical question telling people why they should use SQL parameters?