个人对SQL预编译的认识:
1、效率提升,对SQL语句编译一次可多次使用.避免了硬解析和软解析等步骤,当执行的语句上规模的时候性能差异还是很明显的。
2、安全提升,预编译之后的SQL语句,语义不会发生变化,安全性有相当大的提升。
using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Data.SqlClient; using System.Data;namespace PreSql {class Program{/** create table test_table ( a nvarchar(20) )insert into test_table(a) values('2');*/const string conStr = @"Password=1qaz!QAZ;Persist Security Info=True;User ID=sa;Initial Catalog=IBatisNet;Data Source=WANGN\CR";static void Main(string[] args){Console.WriteLine("SqlJoin:");SqlJoin();Console.WriteLine();Console.WriteLine("PreSqlTest");PreSqlTest();Console.WriteLine("Completed");Console.Read();}static void SqlJoin(){string sql = "select count(*) from test_table where a='{0}'";string tmpSql = string.Format(sql, "1' or '1'='1");string tmpSql2 = string.Format(sql, "1");using (SqlConnection conn = new SqlConnection(conStr)){if (conn.State != ConnectionState.Open){conn.Open();}SqlCommand com = new SqlCommand(tmpSql, conn);object obj = com.ExecuteScalar();Console.WriteLine("SQL注入成功:" + obj.ToString());SqlCommand com2 = new SqlCommand(tmpSql2, conn);object obj2 = com2.ExecuteNonQuery();Console.WriteLine("正常应返回-1:" + obj2);}}static void PreSqlTest(){string sql = "select count(*) from test_table where a=@id";using (SqlConnection conn = new SqlConnection(conStr)){if (conn.State != ConnectionState.Open){conn.Open();}SqlCommand com = new SqlCommand(sql, conn);com.Parameters.Add(new SqlParameter{DbType = DbType.String,Size = 256,ParameterName = "@id",Value = "1 or 1=1"});object obj = com.ExecuteScalar();Console.WriteLine("SQL注入不成功:" + obj.ToString());SqlCommand com2 = new SqlCommand(sql, conn);com2.Parameters.Add(new SqlParameter{DbType = DbType.String,Size = 256,ParameterName = "@id",Value = "1"});object obj2 = com2.ExecuteNonQuery();Console.WriteLine("正常应返回-1:" + obj2);}}} }
执行结果:
SqlJoin:
SQL注入成功:1
正常应返回-1:-1
PreSqlTest
SQL注入不成功:0
正常应返回-1:-1
Completed
陷阱)
)
连接到IBM MQ时出现问题)
)
