我正在使用 Gnome 数据访问 (libgda) 在 C 程序中访问数据库。 我使用 GdaSqlBuilder 来构建我的查询。 这是在请求的字段上添加相等条件的示例代码:
GdaSqlBuilderId add_equal_condition(char* m_name, GValue* m_value)
{
GdaSqlBuilderId name, value, condition;
name = gda_sql_builder_add_id(builder, m_name);
value = gda_sql_builder_add_expr_value(builder, NULL, m_value);
condition = gda_sql_builder_add_cond(builder, GDA_SQL_OPERATOR_TYPE_EQUAL, name, value, 0);
return condition;
}
libgda 是否保护自己免受 SQL 注入(inject),或者我是否需要在将输入传递给 GDA 之前自行清理输入?
预先感谢您的回答。
最佳答案
这在前言中有解释:
When creating an SQL string which contains values (literals), one can be tempted (as it is the easiest solution) to create a string containing the values themselves, execute that statement and apply the same process the next time the same statement needs to be executed with different values. This approach has two major flaws outlined below which is why Libgda recommends using variables in statements (also known as parameters or place holders) and reusing the same GdaStatement object when only the variable's values change.
关于sql - Gnome 的 libgda 和 SQL 注入(inject),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/15340543/