c# – 参数化查询与SQL注入

This works but would still be vulnerable to injections right?

是的,你的代码非常容易受到SQL注入攻击.

I know that I should be using parameterized queries to avoid SQL injections.

哦,绝对是的.

My question is,how can I do this when I’m passing the query as a string parameter?

您根本不应该将查询作为字符串参数传递.相反,您应该将查询作为包含占位符的字符串参数和这些占位符的值传递：

public static DataTable SqlDataTable(string sql,IDictionary<string,object> values)
{
    using (SqlConnection conn = new SqlConnection(DatabaseConnectionString))
    using (SqlCommand cmd = conn.CreateCommand())
    {
        conn.Open();
        cmd.CommandText = sql;
        foreach (KeyValuePair<string,object> item in values)
        {
            cmd.Parameters.AddWithValue("@" + item.Key,item.Value);
        }

        DataTable table = new DataTable();
        using (var reader = cmd.ExecuteReader())
        {
            table.Load(reader);
            return table;
        }
    }
}

然后像这样使用你的函数：

DataTable dt = SqlComm.SqlDataTable(
    "SELECT * FROM Users WHERE UserName = @UserName AND Password = @Password",new Dictionary<string,object>
    {
        { "UserName",login.Text },{ "Password",password.Text },}
);

if (dt.Rows.Count > 0)
{
   // do something if the query returns rows
}