用ado.net和数据库打交道,再不用存储过程的时候,使用参数化Sql语句可以在一定程度上防止sql注入。
1
public
bool
IsInsert(
string
userName,
string
password,
string
remark,
string
mail,
int
departId,
int
power)
2 {
3 string sql = " insert into S_Admin(UserName,Password,Remark,Mail,DepartId,Power)values(@UserName,@Password,@Remark,@Mail,@DepartId,@Power) " ;
4 SqlConnection connection = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings[ "" ].ToString());
5 SqlCommand command = new SqlCommand(sql, connection);
6 command.Parameters.Add( " @UserName " ,SqlDbType.NVarChar, 60 ).Value = userName;
7 command.Parameters.Add( " @Password " , SqlDbType.NVarChar, 60 ).Value = password;
8 command.Parameters.Add( " @Remark " , SqlDbType.NVarChar, 60 ).Value = remark;
9 command.Parameters.Add( " @Mail " , SqlDbType.NVarChar, 60 ).Value = mail;
10 command.Parameters.Add( " @DepartId " , SqlDbType.Int, 4 ).Value = departId;
11 command.Parameters.Add( " @Power " , SqlDbType.Int, 4 ).Value = power;
12 connection.Open();
13 int rowsAffected = command.ExecuteNonQuery();
14 connection.Close();
15 command.Dispose();
16 return rowsAffected > 0 ;
17
18 }
2 {
3 string sql = " insert into S_Admin(UserName,Password,Remark,Mail,DepartId,Power)values(@UserName,@Password,@Remark,@Mail,@DepartId,@Power) " ;
4 SqlConnection connection = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings[ "" ].ToString());
5 SqlCommand command = new SqlCommand(sql, connection);
6 command.Parameters.Add( " @UserName " ,SqlDbType.NVarChar, 60 ).Value = userName;
7 command.Parameters.Add( " @Password " , SqlDbType.NVarChar, 60 ).Value = password;
8 command.Parameters.Add( " @Remark " , SqlDbType.NVarChar, 60 ).Value = remark;
9 command.Parameters.Add( " @Mail " , SqlDbType.NVarChar, 60 ).Value = mail;
10 command.Parameters.Add( " @DepartId " , SqlDbType.Int, 4 ).Value = departId;
11 command.Parameters.Add( " @Power " , SqlDbType.Int, 4 ).Value = power;
12 connection.Open();
13 int rowsAffected = command.ExecuteNonQuery();
14 connection.Close();
15 command.Dispose();
16 return rowsAffected > 0 ;
17
18 }