C#中SqlParameter的作用与用法

最新推荐文章于 2021-03-31 11:27:30 发布
最新推荐文章于 2021-03-31 11:27:30 发布
阅读量561 收藏
点赞数 2
分类专栏: C#
一般来说,在更新DataTable或是DataSet时,如果不采用SqlParameter,那么当输入的Sql语句出现歧义时,如字符串中含有单引号,程序就会发生错误,并且他人可以轻易地通过拼接Sql语句来进行注入攻击。 
string sql
 = "update
 Table1 set name = 'Pudding' where ID = '1'";//未采用SqlParameter
SqlConnection
 conn = new SqlConnection();
conn.ConnectionString
 = "Data
 Source=.\\SQLExpress;Integrated Security=true;AttachDbFilename=|DataDirectory|\\Database.mdf;User Instance=true";//连接字符串与数据库有关
SqlCommand
 cmd = new SqlCommand(sql,
 conn);
try
{
    conn.Open();
    return(cmd.ExecuteNonQuery());
}
catch (Exception)
{
    return -1;
    throw;
}
finally
{
    conn.Close();
}

上述代码未采用SqlParameter,除了存在安全性问题,该方法还无法解决二进制流的更新,如图片文件。通过使用SqlParameter可以解决上述问题,常见的使用方法有两种,Add方法和AddRange方法。

一、Add方法

<div class="cnblogs_Highlighter" style="font-family: verdana, Arial, Helvetica, sans-serif; margin: 0px; padding: 0px; border: 1px solid rgb(204, 204, 204); font-size: 13px; background-color: rgb(248, 248, 248);"><div style="margin: 0px; padding: 0px;"><div id="highlighter_476474" class="syntaxhighlighter  csharp" style="padding: 0px; width: 1022px; margin: 1em 0px !important; position: relative !important; overflow: auto !important; font-size: 1em !important; background-color: rgb(255, 255, 255) !important;"><table border="0" cellpadding="0" cellspacing="0" style="border: 1px; width: 1022px; border-collapse: collapse; margin: 0px !important; padding: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; font-size: 12px !important; min-height: inherit !important;"><tbody style="margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; min-height: inherit !important;"><tr style="margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; min-height: inherit !important;"><td class="code" style="padding: 3px; border: 1px; width: 994px; border-collapse: collapse; margin: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important; word-break: normal !important;"><div class="container" style="margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; min-height: inherit !important;"><div class="line number1 index0 alt2" style="margin: 0px !important; padding: 0px 1em !important; background-color: rgb(248, 248, 248) !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; min-height: inherit !important;"><code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">SqlParameter sp = </code><code class="csharp keyword" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important; color: rgb(0, 0, 255) !important;">new</code> <code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">SqlParameter(</code><code class="csharp string" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important; color: blue !important;">"@name"</code><code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">,</code><code class="csharp string" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important; color: blue !important;">"Pudding"</code><code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">);</code></div><div class="line number2 index1 alt1" style="margin: 0px !important; padding: 0px 1em !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; min-height: inherit !important;"><code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">cmd.Parameters.Add(sp);</code></div><div class="line number3 index2 alt2" style="margin: 0px !important; padding: 0px 1em !important; background-color: rgb(248, 248, 248) !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; min-height: inherit !important;"><code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">sp = </code><code class="csharp keyword" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important; color: rgb(0, 0, 255) !important;">new</code> <code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">SqlParameter(</code><code class="csharp string" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important; color: blue !important;">"@ID"</code><code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">,</code><code class="csharp string" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important; color: blue !important;">"1"</code><code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">);</code></div><div class="line number4 index3 alt1" style="margin: 0px !important; padding: 0px 1em !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; min-height: inherit !important;"><code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">cmd.Parameters.Add(sp);</code></div><div><code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">
</code></div></div></td></tr></tbody></table></div></div></div>

该方法每次只能添加一个SqlParameter。上述代码的功能是将ID值等于1的字段name更新为Pudding(人名)。

二、AddRange方法

SqlParameter[]
 paras = new SqlParameter[]
 { new SqlParameter("@name","Pudding"),new SqlParameter("@ID","1")
 };
cmd.Parameters.AddRange(paras);

显然,Add方法在添加多个SqlParameter时不方便,此时,可以采用AddRange方法。
  下面是通过SqlParameter向数据库存储及读取图片的代码。 
public int SavePhoto(string photourl)
{
    FileStream
 fs = new FileStream(photourl,
 FileMode.Open, FileAccess.Read);//创建FileStream对象,用于向BinaryReader写入字节数据流
    BinaryReader
 br = new BinaryReader(fs);//创建BinaryReader对象,用于写入下面的byte数组
    byte[]
 photo = br.ReadBytes((int)fs.Length);//新建byte数组,写入br中的数据
    br.Close();//记得要关闭br
    fs.Close();//还有fs
    string sql
 = "update
 Table1 set photo = @photo where ID = '0'";
    SqlConnection
 conn = new SqlConnection();
    conn.ConnectionString
 = "Data
 Source=.\\SQLExpress;Integrated Security=true;AttachDbFilename=|DataDirectory|\\Database.mdf;User Instance=true";
    SqlCommand
 cmd = new SqlCommand(sql,
 conn);
    SqlParameter
 sp = new SqlParameter("@photo",
 photo);
    cmd.Parameters.Add(sp);
    try
    {
        conn.Open();
        return (cmd.ExecuteNonQuery());
    }
    catch (Exception)
    {
        return -1;
        throw;
    }
    finally
    {
        conn.Close();
    }
}
 
public void ReadPhoto(string url)
    {
        string sql
 = "select
 photo from Table1 where ID = '0'";
        SqlConnection
 conn = new SqlConnection();
        conn.ConnectionString
 = "Data
 Source=.\\SQLExpress;Integrated Security=true;AttachDbFilename=|DataDirectory|\\Database.mdf;User Instance=true";
        SqlCommand
 cmd = new SqlCommand(sql,
 conn);
        try
        {
            conn.Open();
            SqlDataReader
 reader = cmd.ExecuteReader();//采用SqlDataReader的方法来读取数据
            if (reader.Read())
            {
                byte[]
 photo = reader[0] as byte[];//将第0列的数据写入byte数组
                FileStream
 fs = new FileStream(url,FileMode.CreateNew);创建FileStream对象,用于写入字节数据流
                fs.Write(photo,0,photo.Length);//将byte数组中的数据写入fs
                fs.Close();//关闭fs
            }
            reader.Close();//关闭reader
        }
        catch (Exception
 ex)
        {
            throw;
        }
        finally
        {
            conn.Close();
        }    }}



你无声黑白
关注
  • 2
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
C#SqlParameter参数写法
04-17
C#SqlParameter参数写法C#SqlParameter参数写法C#SqlParameter参数写法C#SqlParameter参数写法C#SqlParameter参数写法C#SqlParameter参数写法
详解C#SqlParameter作用用法
08-31
本文将详细解析SqlParameter作用及其用法,特别是在防止SQL注入和处理复杂数据类型方面的重要性。 首先,我们要了解SQL注入的风险。在直接拼接SQL语句时,如果用户输入的数据未经验证,恶意用户可能会注入恶意SQL...
C# SqlParameter类的使用方法小结
热门推荐
阳光岛主
08-06 3万+
 C# SqlParameter类的使用方法小结在c#执行sql语句时传递参数的小经验 1、直接写入法:      例如:             int Id =1;             string Name="lui";             cmd.CommandText="insert into TUserLogin values("+Id+","
C# SqlParameter 使用
weixin_30235225的博客
12-19 392
//System.Data.SqlClient.SqlParameter[] sqlParameters = new System.Data.SqlClient.SqlParameter[]{ }; System.Data.SqlClient.SqlParameter[] sqlParameters = new System.Data.SqlClient....
SqlParameter作用用法
最数据的专栏
10-03 1683
一般来说,在更新DataTable或是DataSet时,如果不采用SqlParameter,那么当输入的Sql语句出现歧义时,如字符串含有单引号,程序就会发生错误,并且他人可以轻易地通过拼接Sql语句来进行注入攻击。 string sql = "update Table1 set name = 'Pudding' where ID = '1'";//未采用SqlParameter Sq
C# Sqlparameter 的两种用法
08-27
C# Sqlparameter 的两种用法是指在 C# 语言使用 Sqlparameter 对象来执行 SQL 语句或存储过程的两种方法。 Sqlparameter 对象是 ADO.NET 的一种参数对象,它可以用来将参数传递给 SQL 语句或存储过程,从而...
C#SqlParameter类使用方法小结.doc
09-27
C#SqlParameter类使用方法小结.doc
SqlParameter的简单应用实现[C#]
04-24
防止SQL注入最常用的方法就是用变量SqlParameter,但是初学者可能会以为很难,其实很简单的,此例子是一个简单应用实现[C#],初学者可以看看
C# SqlParameter 实例
烈鹰
08-02 282
添加单个参数: string conStr = ConfigurationManager.ConnectionStrings["DBConn"].ToString(); SqlConnection conn = new SqlConnection(conStr); conn.Open(); string cmdText = "SELECT * FROM TEST WHERE Para=@Para"; SqlCommand cmd = new SqlCommand(cmdText, conn); //添加
C#——SqlParameter的使用方法及注意事项
知北行的博客
02-19 6634
SqlParameter可以防止sql注入问题,这里记录下使用方法及代码。 1.封装的sqlHelper类的数据库操作方法(部分代码,具体可参见.net 使用SQLconnection连接数据库及SQL帮助类) //这里要填入你的数据库连接字符串 private static string connectionString = "*************************"; ...
C#之 如何使用SqlParameter执行SQL
音尘啊
03-31 721
一个简单的demo,SQL帮助类见: C#SqlServer帮助类(SQLHelper),可以直接调用 string sqlCon = "server=.;uid=sa;pwd=sa;database=AssociationsManagementDb"; MySQLHelper.connectionString = sqlCon; try { string inser
C#SqlParameter
alx55843的博客
10-12 98
一般来说,在更新DataTable或是DataSet时,如果不采用SqlParameter,那么当输入的Sql语句出现歧义时,如字符串含有单引号,程序就会发生错误,并且他人可以轻易地通过拼接Sql语句来进行注入攻击。 1 string sql = "update Table1 set name = 'Pudding' where ID = '1'";/...
C#SqlParameter的基本用法和好处
weixin_30532369的博客
08-05 214
今天在看到朋友说起数据库sql注入问题说得比较复杂,就写了一个简单的列子供大家参考:   SqlConnection con = new SqlConnection(mySql); //用SqlParameter可以防止Sql注入和一些二进制流的问题(如图片) //SqlPa...
C# SqlParameter使用详解:参数传递与添加方法
"本文档主要介绍了C#SqlParameter类的使用方法,它是ADO.NET框架的一个重要组成部分,用于在执行SQL命令时动态地向数据库传递参数。本文将重点讲解两种常见的使用方式:直接在SQL字符串插入参数和通过...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值