SqlInject myCheck = new SqlInject(this.Request);
myCheck.CheckSqlInject();
最基础
string stradd2 = "insert into ceshi(ceshiname,createdate) values(@ceshiname,getdate())";///签名日志
SqlParameter[] sp_ceshi = { new SqlParameter("@ceshiname", "SDate:" + SDate + ",paiban_id:" + paiban_id + ",signatureStr:" + signatureStr + "")
};
int iaddddd2 = DBHelper.ExecuteNonQuery(stradd2,parameters:sp_ceshi);
第二种数据库访问类
string str = "update Ticket_record set quxiao=1 where id=@0";
//SqlParameter[] sp_add = {
// new SqlParameter("@id",Ticket_recordId)
// };
int addd = SqlHelp.ExecNonQuery(str, Ticket_recordId);
解决 不适用 in(1,2,3)
CREATE FUNCTION [dbo].[f_split](@c varchar(2000),@split varchar(2))
returns @t TABLE(col varchar(20))
AS
begin
while(charindex(@split,@c)<>0)
begin
INSERT @t(col)VALUES(substring(@c,1,charindex(@split,@c)-1))
SET @c = stuff(@c,1,charindex(@split,@c),'')
end
INSERT
@t(col)VALUES(@c)
RETURN
end
GO
调用:
select * from user_yue where systemid in (select * from dbo.f_split('1,2,3',','))
解决top
select top (@top) * from wenchuang where del<>1 order by paixu desc