C#操作Oracle数据库,并对语句进行参数化,防止SQL注入
select语句:
StringBuilder strSql = new StringBuilder();
strSql.Append("Select Count(*) From Member Where UserName=:username ");
OracleParameter[] parameters = new OracleParameter[1];
parameters[0] = new OracleParameter(":username", ASPxUserName.Text.Trim().ToUpper());
dt = dBase.ExecuteDataTables(strSql.ToString(), parameters);
public DataTable ExecuteDataTables(string sql, OracleParameter[] parameterList)
{ //查询语句的参数化
Connection();
DataTable dt = new DataTable();
using (OracleDataAdapter oda = new OracleDataAdapter(sql, conn))
{
oda.SelectCommand = GetCommand(sql, parameterList);
oda.Fill(dt);
}
return dt;
}
public OracleCommand GetCommand(string sql, OracleParameter[] oraPra)
{
OracleCommand oracmd = new OracleCommand(sql, conn);
if (null != oraPra)
{
foreach (var p in oraPra)
{
oracmd.Parameters.Add(p);
}
}
return oracmd;
}