Custom profile providers when creating a custom profile provider for database access , ensure that you follow security best practices to prevent attacks such as sql injection attacks 在创建用于数据库访问的自定义配置文件提供程序时,请确保遵守最佳安全做法以防止如sql注入攻击等一些攻击。
One type of attack that can occur is called sql injection , where malicious code is added to strings that are later passed to an instance of sql server to be parsed and run 可能发生的一种攻击类型称为sql注入,即向字符串添加恶意代码,随后这些字符串被传递给sql server的实例以进行分析和运行。
Parameterized commands guard against a sql injection attack by ensuring that values received from an external source are passed as values only , and not part of the transact - sql statement 但是,即使大小足以接受恶意的transact - sql片断,该片断也只是作为值的一部分对待,而不会作为可执行的transact - sql代码对待。
Use parameterized commands using parameterized commands helps guard against sql injection attacks , in which an attacker " injects " a command into a sql statement that compromises security on the server 该参数定义为大小为5个字符,所以,在参数添加到命令中时,如果textbox控件中提交的字符串值超过5个字符,将引发异常。
A sql injection attack attempts to compromise your database and potentially the computer on which the database is running by creating sql commands that are executed instead of , or in addition to , the commands that you have built into your application Sql注入sql注入攻击试图创建sql命令以取代或扩充应用程序内置的命令,从而危及数据库(可能还有运行数据库的计算机)的安全。
If the report parameter is tied to a query parameter and you do not use an available values list , it is possible for a report user to type sql syntax into the text box , potentially opening the report and your server to a sql injection attack 您可以定义这样一组参数,其中一个参数的值列表取决于其他参数选取的值。例如,第一个参数可显示产品类别列表。当用户选中某个类别后,第二个参数便会根据该类别中的子类别列表进行更新。
