使用动态sql的方法防止sql注入 - 网站安全 - 自学

事例SQL语句如下：

DECLARE @variable NVARCHAR(100)

DECLARE @SQLString NVARCHAR(1024)

DECLARE @ParmDefinition NVARCHAR(500)

SET @SQLString = N'SELECT OEV.Name, OEV.Position, Base_Employee.Address, OEV.Telephone, OEV.MobilePhone, OEV.Email, OEV.RealDepID

FROM Base_OrganizeEmployeeView AS OEV

JOIN Base_Employee

ON Base_Employee.Emp_ID = OEV.Emp_ID

WHERE (OEV.Account LIKE ''%'' + @searchFilter + ''%'' OR OEV.Name LIKE ''%'' + @searchFilter + ''%'' OR OEV.Position LIKE ''%'' + @searchFilter + ''%'' ) AND STATE = 1'

SET @parmDefinition = N'@searchFilter varchar(100)'

SET @variable = N'k'

EXECUTE sp_executesql @SQLString, @ParmDefinition, @searchFilter = @variable

声明：本文来自网络，不代表【好得很程序员自学网】立场，转载请注明出处：http://haodehen.cn/did13291

更新时间：2022-09-13 阅读：30次