String sql = String.Format("select * from [users] where username='{0}'", Request.QueryString["username"]);
这个代码等价于:
String sql = "select * from [users] where username='" + Request.QueryString["username"] + "'";不要被String.Format欺骗
众所周知,.net使用参数的方式可以避免注入的问题,但是审核代码时注意不要被String.Format格式化字符串的代码欺骗:
String sql = String.Format("select * from [users] where username='{0}'", Request.QueryString["username"]);
这个代码等价于:
String sql = "select * from [users] where username='" + Request.QueryString["username"] + "'";
String sql = String.Format("select * from [users] where username='{0}'", Request.QueryString["username"]);这个代码等价于:
String sql = "select * from [users] where username='" + Request.QueryString["username"] + "'";