视频1 视频21 视频41 视频61 视频文章1 视频文章21 视频文章41 视频文章61 推荐1 推荐3 推荐5 推荐7 推荐9 推荐11 推荐13 推荐15 推荐17 推荐19 推荐21 推荐23 推荐25 推荐27 推荐29 推荐31 推荐33 推荐35 推荐37 推荐39 推荐41 推荐43 推荐45 推荐47 推荐49 关键词1 关键词101 关键词201 关键词301 关键词401 关键词501 关键词601 关键词701 关键词801 关键词901 关键词1001 关键词1101 关键词1201 关键词1301 关键词1401 关键词1501 关键词1601 关键词1701 关键词1801 关键词1901 视频扩展1 视频扩展6 视频扩展11 视频扩展16 文章1 文章201 文章401 文章601 文章801 文章1001 资讯1 资讯501 资讯1001 资讯1501 标签1 标签501 标签1001 关键词1 关键词501 关键词1001 关键词1501 专题2001
数据库SqlParameter 的插入操作,防止sql注入的实现代码
2020-11-27 22:41:14 责编:小采
文档
点击下载本文 文档为doc格式

例子:  点击Button1按钮的时候就把数据插入数据库中。
代码如下:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Text;
using System.Data.SqlClient;
using System.Data;
using System.Configuration;

namespace ParaMeter
{
    public partial class Test : System.Web.UI.Page
    {
        private string connectionStr;  //链接数据库的字符串
        private SqlConnection conDB;   //数据库的链接
        private SqlTransaction _trans; //事务对象

        protected void Page_Load(object sender, EventArgs e)
        {
            //connectionStr = ConfigurationSettings.AppSettings["constr"];
            connectionStr = "server=10.11.43.1\\SQL2008;database=OA_WEB_DB;uid=sa;pwd=123456";
            conDB = new SqlConnection(connectionStr);
        }

        protected void Button1_Click(object sender, EventArgs e)
        {
            StringBuilder strSql = new StringBuilder();
            strSql.Append("INSERT INTO [OA_WEB_DB].[dbo].[OA_RT_FileType]([FileTypeName],[Deleted])");
            strSql.Append("VALUES(@fileName,@delete)");
            SqlParameter[] parameters = {
                                 new SqlParameter("@fileName", SqlDbType.NVarChar,100),
                                 new SqlParameter("@delete",SqlDbType.Bit),

                             };
            parameters[0].Value = "文件类型";
            parameters[1].Value = false;
          bool IsSucc =   ExecUpdateSql(strSql.ToString(), parameters);
          if (IsSucc)
          {
             Label1.Text =  "插入成功";
          }
          else
          {
              Label1.Text = "插入失败";
          }

        }
        /// 执行一条更新语句
        /// </summary>
        /// <param name="SQLString">需要执行的SQL语句。</param>
        /// <param name="cmdParms">执行参数数组</param>
        /// <returns>成功返回True,失败返回False。</returns>
        private bool ExecUpdateSql(string SQLString, params SqlParameter[] cmdParms)
        {
            using (SqlCommand cmd = new SqlCommand())
            {
                try
                {
                    PrepareCommand(cmd, conDB, _trans, SQLString, cmdParms);
                    int iret = cmd.ExecuteNonQuery();
                    return true;
                }
                catch (System.Data.SqlClient.SqlException e)
                {
                    return false;
                }
            }
        }
        private void PrepareCommand(SqlCommand cmd, SqlConnection conn, SqlTransaction trans, string cmdText, SqlParameter[] cmdParms)
        {
            if (conn.State != ConnectionState.Open)
                conn.Open();
            cmd.Connection = conn;
            cmd.CommandText = cmdText;
            if (trans != null)
                cmd.Transaction = trans;
            cmd.CommandType = CommandType.Text;//cmdType;
            if (cmdParms != null)
            {
                foreach (SqlParameter parameter in cmdParms)
                {
                    if ((parameter.Direction == ParameterDirection.InputOutput || parameter.Direction == ParameterDirection.Input) &&
                        (parameter.Value == null))
                    {
                        parameter.Value = DBNull.Value;
                    }
                    cmd.Parameters.Add(parameter);
                }
            }
        }

    }
}

下载本文
显示全文
专题
懂视 51dongshi.net 版权所有
Copyright © 2019-2025