鲁东大学网络信息部王建波
做网站也有一段时间了,一直以来都是利用replace函数来防止恶意字符。
最近开始做asp.net感觉判断起来更是费时费力,在这里强烈各位不要再用replace方法了。
这里把我的参数化过程全代码贴出来,共给位借鉴批评。
using System;
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Data.SqlClient;
using System.Data.OleDb;//引入命名空间
public partial class search : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
string a = Request["f"];//参数接受f代表选择类型,t代表参数值
Label2.Text = a;//之所以把个别参数付给了label,是因为参数作用域的问题,在.net面向对象的天下下,一定要注意参数的作用域!
string flog = Request["t"];
Label4.Text = flog;
string db="//lovewall//#HX33LoveWall.asp";
string conn= "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" + Server.MapPath(db);//以上是用access数据库,asp.net+access数据库连接字符
//string conn="server=localhost;database=xuyuan;uid=sa;pwd=sa"; // 此处为asp.ent+sql连接字符串
OleDbConnection MyCon = new OleDbConnection(conn);//初始化connection对象
string sql;
if ("r" == a)
sql = "Select HX33_WishID,HX33_Picker,HX33_Sender,HX33_WishDate From [HX33_LoveWallPosts] where HX33_Picker like '%'+@keyw+'%' order by HX33_WishDate DESC";
else if ("s" == a)
sql = "Select HX33_WishID,HX33_Picker,HX33_Sender,HX33_WishDate From [HX33_LoveWallPosts] where HX33_Sender like '%'+@keyw+'%' order by HX33_WishDate DESC";
else
sql = "Select HX33_WishID,HX33_Picker,HX33_Sender,HX33_WishDate From [HX33_LoveWallPosts] where HX33_WishContent like '%'+@keyw+'%' order by HX33_WishDate DESC";//以上的if判断是通过不同的"a"值,来执行不同的sql语句,即让用户选择查询方式
OleDbCommand MyCmd = new OleDbCommand(sql, MyCon);//新建command对象
OleDbParameter par= new OleDbParameter("@keyw",OleDbType.VarChar, 8000);//参数化查询关键
MyCmd.Parameters.Add(par);//加参数
MyCmd.Parameters["@keyw"].Value = flog;//给参数赋值
//OleDbConnection mycon = new OleDbConnection(conn);//若不是用参数化查询,直接用一下两句即可
//OleDbCommand cmd = new OleDbCommand(sql,mycon);
Label3.Text = "按照您的搜索条件【"+flog+"】所得到的结果是如下:";
try
{
MyCon.Open();
OleDbDataAdapter da = new OleDbDataAdapter(MyCmd);
DataSet ds = new DataSet();
da.Fill(ds);
GridView1.DataSource = ds;
GridView1.DataBind();
MyCon.Close();
}
catch(Exception ex)
{
Response.Write(ex);
}//获取异常
}
protected void GridView1_PageIndexChanging(object sender, GridViewPageEventArgs e)
{
GridView gvw = (GridView)sender;
if (e.NewPageIndex<0)
{
TextBox pageNum = (TextBox)gvw.BottomPagerRow.FindControl("txtNewPageIndex");
int Pa = int.Parse(pageNum.Text);
if (Pa <= 0)
{ gvw.PageIndex = 0; }
else { gvw.PageIndex = Pa - 1; }
}
else { gvw.PageIndex = e.NewPageIndex;
DataBind();//此处重新绑定
}//分页函数
}
public void cut(string str, int count)
{
int len;
for (int i = 0; i < GridView1.Rows.Count; i++)
{
len = GridView1.Rows[i].Cells[3].Text.Length;
if (len > 10)
GridView1.Rows[i].Cells[3].Text = GridView1.Rows[i].Cells[3].Text.Substring(0, 5) + "...";
Response.Write(len);
}//这里附上一个字符串剪切函数,在输出某些数据时,由于数据过长可能会是的页面变形,建议用...代替
}
protected void GridView1_SelectedIndexChanged(object sender, EventArgs e)
{
Response.Write("<script>window.location.replace('default.asp?clos=1"+"&t=" + Label2.Text +"&HX33_WishID=" + GridView1.SelectedRow.Cells[1].Text.ToString()+ "&f=" + Label4.Text+"')</script>");
//重定向页面,注意参数连接方式.
}
protected void Button1_Click(object sender, EventArgs e)
{
Response.Redirect("tianjia.aspx");//重定向页面
}
}
---------鲁东大学信息科学与工程学院网络专业 王建波
有需要。aspx代码的请给我留言,我会第一时间贴出来
扫一扫
1924
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
