オンラインで、主にデスクトップや携帯電話のアプリケーションからアクセスする MYSQL データベースを使用したいと考えています。誰かに私のコードをざっと見てもらい、セキュリティに関して何を変更/改善する必要があるか教えてもらいたいです。基本的に、コードを改善できますか、それとも変更する必要がありますか?
これが私のコードです:
Create Database db_person_cdtest;
USE [db_person_cdtest]
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE TABLE [Person](
[PersonID] [numeric](18, 0) IDENTITY(1,1) NOT NULL,
[ID] [varchar](20),
[FirstName] [varchar](50) NOT NULL,
[LastName] [varchar](50) NOT NULL,
[AddressLine1] [varchar](50),
[AddressLine2] [varchar](50),
[AddressLine3] [varchar](50),
[MobilePhone] [varchar](20),
[HomePhone] [varchar](20),
[Description] [varchar](10),
[DateModified] [datetime],
[PersonCategory] [varchar](30) NOT NULL,
[Comment] [varchar](max),
CONSTRAINT [PK_Person] PRIMARY KEY CLUSTERED
(
[PersonID] DESC
)WITH (IGNORE_DUP_KEY = OFF) ON [PRIMARY]
) ON [PRIMARY];
CREATE PROCEDURE usp_InsertPerson
(
@ID VARCHAR(20),
@FirstName VARCHAR(50),
@LastName VARCHAR(50),
@AddressLine1 VARCHAR(50),
@AddressLine2 VARCHAR(50),
@AddressLine3 VARCHAR(50),
@MobilePhone VARCHAR(20),
@HomePhone VARCHAR(20),
@Description VARCHAR(10),
@Comment VARCHAR(max)
)
AS
BEGIN
Declare @PersonCategory VARCHAR(30)
SET @PersonCategory = dbo.usp_PersonCategoryLookup(@ID, @Description)
INSERT INTO Person(ID, FirstName, LastName, AddressLine1, AddressLine2, AddressLine3, MobilePhone, HomePhone, Description, DateModified, PersonCategory, Comment)
VALUES (@ID, @FirstName, @LastName, @AddressLine1, @AddressLine2, @AddressLine3, @MobilePhone, @HomePhone, @Description, GETDATE (), @PersonCategory, @Comment)
END
CREATE PROCEDURE usp_UpdatePerson
(
@PersonID numeric(18, 0),
@ID VARCHAR(20),
@FirstName VARCHAR(50),
@LastName VARCHAR(50),
@AddressLine1 VARCHAR(50),
@AddressLine2 VARCHAR(50),
@AddressLine3 VARCHAR(50),
@MobilePhone VARCHAR(20),
@HomePhone VARCHAR(20),
@Description VARCHAR(10),
@Comment VARCHAR(max)
)
AS
BEGIN
Declare @PersonCategory VARCHAR(30)
SET @PersonCategory = dbo.usp_PersonCategoryLookup(@ID, @Description)
Update Person set ID=@ID, FirstName=@FirstName, LastName=@LastName, AddressLine1=@AddressLine1, AddressLine2=@AddressLine2, AddressLine3=@AddressLine3, MobilePhone=@MobilePhone, HomePhone=@HomePhone, Description=@Description, DateModified=GETDATE (), PersonCategory=@PersonCategory, Comment=@Comment where PersonID=@PersonID
END
CREATE PROCEDURE usp_SearchPerson
(
@SearchCriteria VARCHAR(50)
)
AS
BEGIN
Select * from Person where FirstName like @SearchCriteria or LastName like @SearchCriteria or PersonCategory like @SearchCriteria
END
CREATE PROCEDURE usp_SelectPerson
(
@PersonID numeric(18, 0)
)
AS
BEGIN
select * from Person where PersonID=@PersonID
END
CREATE FUNCTION usp_PersonCategoryLookup
(
@ID VARCHAR(20),
@Description VARCHAR(10)
)
RETURNS VARCHAR(30)
AS
BEGIN
return @ID + @Description
END