SQL注入解决
ADO.NET参数技术
-
SQL中的参数
-
在ADO.NET中将sql语句中的关键数据进行使用参数对象进行处理
/// <summary> /// 查询结果用DataReader读取 /// </summary> /// <param name="sql">查询的SQL语句</param> /// <param name="parameters">SQL语句中的所有参数</param> /// <returns></returns> public static SqlDataReader GetReader(string sql,SqlParameter[] parameters) { SqlConnection con = new SqlConnection(constr); SqlCommand cmd = new SqlCommand(sql, con); if (parameters!=null) { cmd.Parameters.AddRange(parameters);//将SQL语句中的所有参数对象接收 } try { con.Open(); //不需要手动关闭con,当DataReader关闭时,con自动跟着关闭 return cmd.ExecuteReader(CommandBehavior.CloseConnection); } catch (Exception ex) { con.Close(); //记入系统日志 throw ex; } }
public Admins GetAdmins(Admins adm)
{
string sql = string.Format("SELECT * FROM Admins WHERE LoginId=@id AND LoginPwd=@Pwd");
SqlParameter[] parameters =
{
new SqlParameter("@id", System.Data.SqlDbType.Int),
new SqlParameter("@Pwd", System.Data.SqlDbType.VarChar,50)
};
parameters[0].Value = adm.LoginId;
parameters[1].Value = adm.LoginPwd;
SqlDataReader reader = DBHelper.SQLHelper.GetReader(sql,parameters);
Admins use = null;
while (reader.Read())
{
use = new Admins()
{
AdminName = reader["AdminName"].ToString(),
LoginId = Convert.ToInt32(reader["LoginId"]),
LoginPwd = reader["LoginPwd"].ToString()
};
}
reader.Close();
return use;
}