vc mfc ado sql防止流入

vc mfc ado sql防止注入

不要直接用用户输入的数据如果数据库包含恶意字符这样会导致 hack 填空导致?delete from SELLINFO where Merchandise = '1' OR '1'='1' ?执行数据全部删除?

CString m_name = " '1' ?OR '1'='1' ";

sql.Format("delete from SellInfo where ?Merchandise = ?%s ", m_name);

?m_pConnection->Execute((_bstr_t)sql, NULL, adCmdText); ?

try{?

CString m_name = "??1' ?OR '1'='1??";?

sql.Format("delete from SellInfo where ?Merchandise =??'%s'?", m_name);

?m_pConnection->Execute((_bstr_t)sql, NULL, adCmdText); ?

}

catch(_com_error ? e)?

AfxMessageBox(e.Description());?

return;

会导致数据全部删除?