我在try 修改我的SQL查询以处理有关潜在SQL注入的警告时遇到问题.我的目标是将查询参数化并使用原始字符串文字,但我收到了一条错误消息.
该错误似乎与我的列名的区分大小写有关,不幸的是,我不能将整个数据库更改为小写.
我已经try 过各种其他方法,但它们要么导致错误,要么无法正确检索用户ID.
下面是我试过的代码.
- 原始版本(SQL注入问题)
await dbContext.Database.ExecuteSqlRawAsync(
$@"
DO $$
BEGIN
IF (SELECT COUNT(*) FROM ""Notification"" WHERE ""UserId"" = '{userId}') > 20 THEN
DELETE FROM ""Notification""
WHERE ""UserId"" = '{userId}' AND ""IsReceived"" = 'TRUE' AND ""ContentId"" NOT IN (
SELECT ""ContentId"" FROM ""Notification""
WHERE ""UserId"" = '{userId}'
ORDER BY ""CreatedAt"" DESC
LIMIT 20
);
END IF;
END $$"
);
- 原始字符串文字版本
(错误:Npgsql.PostgresException:42703:用户ID列不存在)
var param = new NpgsqlParameter("@UserId", userId);
await dbContext.Database.ExecuteSqlRawAsync(
"""
DO $$
BEGIN
IF (SELECT COUNT(*) FROM "Notification" WHERE "UserId" = @UserId) > 20 THEN
DELETE FROM "Notification"
WHERE "UserId" = @UserId AND "IsReceived" = 'TRUE' AND "ContentId" NOT IN (
SELECT "ContentId" FROM "Notification"
WHERE "UserId" = @UserId
ORDER BY "CreatedAt" DESC
LIMIT 20
);
END IF;
END $$
""", param);
- 原始字符串文字版本 with ExecuteSqlInterpolatedAsync
(错误:Npgsql.PostgresException:42703:P0列不存在)
await dbContext.Database.ExecuteSqlInterpolatedAsync(
$"""
DO $$
BEGIN
IF (SELECT COUNT(*) FROM "Notification" WHERE "UserId" = {userId}) > 20 THEN
DELETE FROM "Notification"
WHERE "UserId" = {userId} AND "IsReceived" = 'TRUE' AND "ContentId" NOT IN (
SELECT "ContentId" FROM "Notification"
WHERE "UserId" = {userId}
ORDER BY "CreatedAt" DESC
LIMIT 20
);
END IF;
END $$
""");
我希望得到关于进行修改的最佳方式的指导.
感谢您的帮助!