using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.Data.SqlClient;
namespace 防sql注入式攻击_sqlParamter
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection();
con.ConnectionString = @"Data Source=DESKTOP-UJ5IEQK\THIRTEEN;Initial Catalog=test_ADO.net;Integrated Security=true";
SqlCommand cmd = new SqlCommand();
cmd.Connection = con;
cmd.CommandText = "denglu"; //执行存储过程的名称
cmd.CommandType = CommandType.StoredProcedure; //执行类型为:存储过程
cmd.Parameters.AddWithValue("@name",textBox1.Text); //输入参数的快速添加
cmd.Parameters.AddWithValue("@password", textBox2.Text);
//第一种
//SqlParameter p = new SqlParameter();
//p.Direction = ParameterDirection.ReturnValue; //返回值类型
//cmd.Parameters.Add(p); //和cmd对象关联
//con.Open();
//cmd.ExecuteScalar(); //Command对象的执行
//int i = Convert.ToInt32(cmd.Parameters[2].Value);
//返回参数、输出参数的值必须在Command对象执行之后才有值
//返回值只能是整型,不能是返回字符串
//输出参数,可以返回任何类型
//第二种
//SqlConnection con = new SqlConnection();
//con.ConnectionString = @"Data Source=DESKTOP-UJ5IEQK\THIRTEEN;Initial Catalog=test_ADO.net;Integrated Security=true";
//SqlCommand cmd = new SqlCommand();
//cmd.CommandText = "select count(*) from student_User where sname=@name and spassword=@password;";
//cmd.Connection = con;
//SqlParameter p1 = new SqlParameter(); //创建SqlParameter对象
//p1.ParameterName = "@name"; //参数的名称
//p1.SqlDbType = SqlDbType.NChar; //参数的类型
//p1.Size = 50; //参数类型的大小
//p1.Direction = ParameterDirection.Input; //参数的方向,Input 输入;Output 输出;InputOutput 输入或输出;Return Value 返回值
//p1.Value = textBox1.Text; //输入参数的值
//SqlParameter p2 = new SqlParameter();
//p2.ParameterName = "@password";
//p2.SqlDbType = SqlDbType.NChar;
//p2.Size = 50;
//p2.Direction = ParameterDirection.Input;
//p2.Value = textBox2.Text;
//cmd.Parameters.Add(p1);
//cmd.Parameters.Add(p2);
//con.Open();
//int i = Convert.ToInt32(cmd.ExecuteScalar());
//以下代码第一、二种都需要.
//if (i==0)
//{
// label3.Text = "登录失败!";
//}
//else
//{
// label3.Text = "登录成功!";
//}
//con.Close();
//第三种,加入输出参数@msg
SqlParameter p = new SqlParameter();
p.ParameterName = "@msg";
p.Direction = ParameterDirection.Output;
p.SqlDbType = SqlDbType.NVarChar;
p.Size = 50;
cmd.Parameters.Add(p);
con.Open();
cmd.ExecuteScalar();
String s = cmd.Parameters[2].Value.ToString();
label3.Text = s;
con.Close();
}
}
}
//第一、二种数据库代码
//USE[test_ADO.net]
//GO
///****** Object: StoredProcedure [dbo].[denglu] Script Date: 2018/4/2 20:22:19 ******/
//SET ANSI_NULLS ON
//GO
//SET QUOTED_IDENTIFIER ON
//GO
//-- =============================================
//-- Author: <Author,,Name>
//-- Create date: <Create Date,,>
//-- Description: <Description,,>
//-- =============================================
//CREATE PROCEDURE denglu
//@name nvarchar(50),
//@password nvarchar(50)
//AS
//BEGIN
// declare @num int
// select @num=count(*) from student_User where sname = @name and spassword = @password;
// if(@num=0)
// return 0
// else
// return 1
//END
//第三种数据库代码,加入输出参数@msg
//USE[test_ADO.net]
//GO
///****** Object: StoredProcedure [dbo].[denglu] Script Date: 2018/4/9 19:20:40 ******/
//SET ANSI_NULLS ON
//GO
//SET QUOTED_IDENTIFIER ON
//GO
//-- =============================================
//-- Author: <Author,,Name>
//-- Create date: <Create Date,,>
//-- Description: <Description,,>
//-- =============================================
//ALTER PROCEDURE[dbo].[denglu]
//@name nvarchar(50),
//@password nvarchar(50),
//@msg nvarchar(50) output
//AS
//BEGIN
//declare @num int ,@num2 int
//select @num=count(*) from student_User where sname = @name and spassword = @password;
//select @num2 = count(*) from student_User where sname = @name;
// if(@num=0 and @num2 = 1)
// set @msg = '密码错误'
// else if(@num=0 and @num2 = 0)
// set @msg = '用户名不存在'
// else
// set @msg = '登录成功!'