在我的ASP.NET(3.5)项目中,我为所有数据访问使用内置的TableAdapters/Dataset。它是否提供与SQLDataSource从SQL注入相同的安全性?我使用的参数如下。TableAdapter/DataSet安全吗?
Dim myDAL As New ABCTableAdapters.XYZTableAdapter
Label1.Text = myDAL.getDatafromDB(myParameter)
更新1:
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
Dim myParameter As String = getSafeURL(Request.QueryString("MS_Code")) 'getsafeurl encodes querystring using HttpUtility.UrlEncode
Dim myDAL As New ABCTableAdapters.XYZTableAdapter
Label1.Text = myDAL.getDatafromDB(myParameter)
End Sub
getDatafromDB对应于下面的查询存在于的app_code/DAL.xsd
SELECT东西FROM sometable其中字段名= @parameter
更新2: 如果我查看XS的代码D我可以看到以下
<SelectCommand>
<DbCommand CommandType="Text" ModifiedByUser="true">
<CommandText>SELECT pageContent FROM [content] where name = @name</CommandText>
<Parameters>
<Parameter AllowDbNull="true" AutogeneratedName="name" ColumnName="name" DataSourceName="iseac.dbo.[content]" DataTypeServer="nchar(100)" DbType="String" Direction="Input" ParameterName="@name" Precision="0" ProviderType="NChar" Scale="0" Size="100" SourceColumn="name" SourceColumnNullMapping="false" SourceVersion="Current" />
</Parameters>
</DbCommand>
</SelectCommand>
你能说明'getDatafromDB'方法是怎么样的吗? –
@Darin Dimitrov - 请参考更新 –