Community
Learn
Tools Library
AI Tools
Leisure
search
English
Home > Database > Mysql Tutorial > How Can I Securely Parameterize an SQL IN Clause with a Dynamic Number of Arguments?

How Can I Securely Parameterize an SQL IN Clause with a Dynamic Number of Arguments?

Linda Hamilton
Release: 2025-01-25 16:36:10
Original
808 people have browsed it

How Can I Securely Parameterize an SQL IN Clause with a Dynamic Number of Arguments?

Use the number of dynamic parameters to parameter SQL in clause

Parameter SQL query helps prevent SQL from injecting attacks. However, when processing the parameters of variables, the traditional method (parameterization of each separate parameter in IN clauses) may become very cumbersome.

Parameterization per value

A more elegant solution is every possible value in the parameterized IN clause. For example, consider the following inquiries: 

<code class="language-sql">SELECT * FROM Tags WHERE Name IN ('ruby','rails','scruffy','rubyonrails') ORDER BY Count DESC</code>
Copy after login
To parameterize this query, you can allocate each value to an array and create a parameterized in clause: 

<code class="language-csharp">string[] tags = new string[] { "ruby", "rails", "scruffy", "rubyonrails" };
string cmdText = "SELECT * FROM Tags WHERE Name IN ({0})";

string[] paramNames = tags.Select((s, i) => "@tag" + i.ToString()).ToArray();

string inClause = string.Join(",", paramNames);
using (SqlCommand cmd = new SqlCommand(string.Format(cmdText, inClause)))
{
    for (int i = 0; i < tags.Length; i++)
    {
        cmd.Parameters.AddWithValue(paramNames[i], tags[i]);
    }
    // ... 执行查询 ...
}</code>
Copy after login
The command generated by this method contains the parameters and values ​​of dynamic generated names and values: 

<code class="language-sql">cmd.CommandText = "SELECT * FROM Tags WHERE Name IN (@tag0, @tag1, @tag2, @tag3)"
cmd.Parameters["@tag0"] = "ruby"
cmd.Parameters["@tag1"] = "rails"
cmd.Parameters["@tag2"] = "scruffy"
cmd.Parameters["@tag3"] = "rubyonrails"</code>
Copy after login
Safety precautions

It should be noted that this method can safely prevent SQL from injecting attacks, because the parameterization value is not input by the user. The only text injected into the CommandText is the hard -coded "@TAG" prefix and the index of array. These are not generated by users, so they are safe.

The above is the detailed content of How Can I Securely Parameterize an SQL IN Clause with a Dynamic Number of Arguments?. For more information, please follow other related articles on the PHP Chinese website!

source:php.cn
Previous article:How to Parameterize SQL IN Clauses with a Variable Number of Arguments? Next article:How to Safely Insert PHP Variables into MySQL Queries?
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Latest Issues
function_exists() cannot determine the custom function Function test () {return true;} if (function_exists ('test')) {echo "test is function...
From 2024-04-29 11:01:01
0
3
2588
How to display the mobile version of Google Chrome Hello teacher, how can I change Google Chrome into a mobile version?
From 2024-04-23 00:22:19
0
11
2727
The child window operates the parent window, but the output does not respond. The first two sentences are executable, but the last sentence cannot be implemented.
From 2024-04-19 15:37:47
0
1
2313
There is no output in the parent window document.onclick = function(){ window.opener.document.write('I am the output of the child ...
From 2024-04-18 23:52:34
0
1
2170
Where is the courseware about CSS mind mapping? Courseware
From 2024-04-16 10:10:18
0
0
2275
Related Topics
More>
Popular Recommendations
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template