数据库SqlParameter 的插入操作,防止sql注入的实现代码
例子: 点击Button1按钮的时候就把数据插入数据库中。
代码如下:
using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI; using System.Web.UI.WebControls; using System.Text; using System.Data.SqlClient; using System.Data; using System.Configuration; namespace ParaMeter { public partial class Test : System.Web.UI.Page { private string connectionStr; //链接数据库的字符串 private SqlConnection conDB; //数据库的链接 private SqlTransaction _trans; //事务对象 protected void Page_Load(object sender, EventArgs e) { //connectionStr = ConfigurationSettings.AppSettings["constr"]; connectionStr = "server=10.11.43.189\\SQL2008;database=OA_WEB_DB;uid=sa;pwd=123456"; conDB = new SqlConnection(connectionStr); } protected void Button1_Click(object sender, EventArgs e) { StringBuilder strSql = new StringBuilder(); strSql.Append("INSERT INTO [OA_WEB_DB].[dbo].[OA_RT_FileType]([FileTypeName],[Deleted])"); strSql.Append("VALUES(@fileName,@delete)"); SqlParameter[] parameters = { new SqlParameter("@fileName", SqlDbType.NVarChar,100), new SqlParameter("@delete",SqlDbType.Bit), }; parameters[0].Value = "文件类型"; parameters[1].Value = false; bool IsSucc = ExecUpdateSql(strSql.ToString(), parameters); if (IsSucc) { Label1.Text = "插入成功"; } else { Label1.Text = "插入失败"; } } /// 执行一条更新语句 /// </summary> /// <param name="SQLString">需要执行的SQL语句。</param> /// <param name="cmdParms">执行参数数组</param> /// <returns>成功返回True,失败返回False。</returns> private bool ExecUpdateSql(string SQLString, params SqlParameter[] cmdParms) { using (SqlCommand cmd = new SqlCommand()) { try { PrepareCommand(cmd, conDB, _trans, SQLString, cmdParms); int iret = cmd.ExecuteNonQuery(); return true; } catch (System.Data.SqlClient.SqlException e) { return false; } } } private void PrepareCommand(SqlCommand cmd, SqlConnection conn, SqlTransaction trans, string cmdText, SqlParameter[] cmdParms) { if (conn.State != ConnectionState.Open) conn.Open(); cmd.Connection = conn; cmd.CommandText = cmdText; if (trans != null) cmd.Transaction = trans; cmd.CommandType = CommandType.Text;//cmdType; if (cmdParms != null) { foreach (SqlParameter parameter in cmdParms) { if ((parameter.Direction == ParameterDirection.InputOutput || parameter.Direction == ParameterDirection.Input) && (parameter.Value == null)) { parameter.Value = DBNull.Value; } cmd.Parameters.Add(parameter); } } } } }
相关推荐
qshpeng 2020-03-06
chenjiazhu 2020-07-08
一对儿程序猿 2020-07-04
tanrong 2020-06-11
ALiDan 2020-07-27
qshpeng 2020-07-26
世樹 2020-07-17
明月清风精进不止 2020-06-13
godfather 2020-06-13
ItBJLan 2020-06-11
ALiDan 2020-06-11
码墨 2020-06-09
世樹 2020-06-05
lt云飞扬gt 2020-06-03
godfather 2020-06-03
qshpeng 2020-05-11
明月清风精进不止 2020-05-07