SqlParameter 转递参数防止SQL注入(参数传递的最优选择)
string sql=@"select * from M_Customer c where c.id is not null and c.UnitName is not null and c.UnitName like '%'+@contractorname+'%'
order by c.UnitName
Offset 0 Rows Fetch Next 20 Rows only
";
var listSqlParams = new List<SqlParameter>();
listSqlParams.Add(new SqlParameter("@contractorname", contractorname));
var list = this.CurrentRepository.SqlQuery<ValueText>(sql, listSqlParams.ToArray()).ToList();
//登录按钮 用户名和密码不对也可以成功登录
//1.1获取到用户名和密码
string uname = txtName.Text;
string pwd = txtPwd.Text;
//1.2发送SQL指令,拼接SQL方式
string str = "Data Source=.;Initial Catalog=MySchool;uid=sa;";
string sql = "select count(1) from student where studentName='" + uname + "' and Loginpwd='" + pwd + "'";
SqlConnection con = new SqlConnection(str);
SqlCommand cmd = new SqlCommand(sql, con);
con.Open();
int count = Convert.ToInt32(cmd.ExecuteScalar());
if (count > 0)
{
MessageBox.Show("成功登录!");
}
else
{
MessageBox.Show("失败!");
}
//用户名输入 ' or 1=1 -- 密码输入 :随便输
//SQL Server 查询的语句是 select count(1) from student where studentName='' or 1=1 --' and Loginpwd='sb
SQL 防止注入(SqlParameter传参)
最新推荐文章于 2024-07-31 22:18:21 发布