//Sqlhelp类
using System;
using System.Data;
using MySql.Data.MySqlClient;
public class Sqlhelp
{
public static string connSting= "server='Server IP'; User ID='User Name'; password='Password';database='DB Name'";
public Sqlhelp()
{
//
// TODO: Add constructor logic here
//
}
#region LoadDate(参数化查询,返回Datatable)
/// <summary>
/// 参数化查询,防止SQL注入
/// </summary>
/// <param name="sql">参数化SQL语句</param>
/// <param name="parameters">参数化参数</param>
/// <returns>Datatable</returns>
public static DataTable LoadData(string sql,params MySqlParameter[] parameters)
{
DataSet ds = new DataSet();
MySqlConnection conn = new MySqlConnection(connSting);
try
{
conn.Open();
MySqlCommand cmd = new MySqlCommand();
cmd.Connection = conn;
cmd.CommandText = sql;
cmd.CommandType = CommandType.Text;
foreach (MySqlParameter parameter in parameters)
{
if (parameter.Value == null || parameter.Value.ToString() == "")
{
parameter.Value = DBNull.Value;
}
cmd.Parameters.Add(parameter);
}
MySqlDataAdapter adapter = new MySqlDataAdapter(cmd);
adapter.Fill(ds);
}
catch (Exception ex)
{
throw ex;
}
finally
{
conn.Close();
}
return ds.Tables[0];
}
#endregion
#region CURD(参数化增删改查)
/// <summary>
/// Insert、Update、Delete参数化增删改查
/// </summary>
/// <param name="sql">参数化sql语句</param>
/// <returns>affect row</returns>
public static int CURD(string sql, params MySqlParameter[] parameters)
{
int affectrow = 0;
MySqlConnection conn=new MySqlConnection(connSting);
try
{
conn.Open();
MySqlCommand command = new MySqlCommand();
command.Connection = conn;
command.CommandText = sql;
command.CommandType = CommandType.Text;
foreach (MySqlParameter parameter in parameters)
{
if (parameter.Value == null || parameter.Value.ToString() == "")
{
parameter.Value = DBNull.Value;
}
command.Parameters.Add(parameter);
}
affectrow = command.ExecuteNonQuery();
}
catch (Exception ex)
{
throw ex;
}
finally
{
conn.Close();
}
return affectrow;
}
#endregion
}
//Sqlhelp 类调用
//查询
MySqlParameter[] parameters = new MySqlParameter[] {
new MySqlParameter("@username","Test"),
new MySqlParameter("@password","Password")
};
DataTable tb_tmp = Sqlhelp.LoadData("select UserName,Password from UserList where UserName=@username and Password=@password", parameters);
//插入
parameters = new MySqlParameter[] { new MySqlParameter("@username", "Test") };
Sqlhelp.CURD("insert into userlist (UserName,Password) values (@username,@password)", parameters);
C#MySQL 参数化查询类 防止SQL注入
于 2023-04-17 16:48:25 首次发布