到底是什么在这使得它如此SQLParameter prevents在.NET参数化查询SQL Inection攻击？难道仅仅剥离出任何可疑人物或者是有更多的东西来呢？

What exactly is going on in the background that makes it so SQLParameter prevents SQL Inection attacks in a .NET Parameterized query? Is it just stripping out any suspect characters or is there something more to it?

有没有人在那里检查，看看有什么实际获取到SQL Server当你通过恶意输入？

Has anyone out there checked to see what actually gets to SQL Server when you pass malicious input?

相关阅读：Can您在SQL FROM语句中使用的SqlParameter？

推荐答案

基本上，当您使用SQLParameters执行一个SqlCommand，该参数不会直接插入语句。相反，所谓sp_executesql的一个系统存储过程的调用，并给出了SQL字符串和参数数组。当这样使用时，参数被隔离，而不是具有被解析出（并因此可能改变它），那么什么的参数包含永远不能被执行的声明和作为数据处理，。你只是得到一个大胖子的错误，该参数值在某种程度上是无效的。

Basically, when you perform a SQLCommand using SQLParameters, the parameters are never inserted directly into the statement. Instead, a system stored procedure called sp_executesql is called and given the SQL string and the array of parameters. When used as such, the parameters are isolated and treated as data, instead of having to be parsed out of the statement (and thus possibly changing it), so what the parameters contain can never be "executed". You'll just get a big fat error that the parameter value is invalid in some way.