参数化查询(简单举例)
Posted 定不负相思懿
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了参数化查询(简单举例)相关的知识,希望对你有一定的参考价值。
这几天在查一些有关SQL语句防注入的资料,敲敲改改总算弄好了,不多说,贴代码
string str = @"server=LAPTOP-CM9CUARS;Integrated Security=SSPI;database=Space;"; using (SqlConnection Conn = new SqlConnection(str)) { Conn.Open(); //打开数据库 try { using (SqlCommand Cmd = Conn.CreateCommand()) { Cmd.CommandText = "select * from tabUsers where [email protected] and [email protected]"; Cmd.Parameters.Add(new SqlParameter("@ID", ID)); Cmd.Parameters.Add(new SqlParameter("@hspwd", hspwd1)); int count = Convert.ToInt32(Cmd.ExecuteScalar()); if (count > 0) { Session["ID1"] = ID; string sql = "select*from tabUsers where id=‘" + ID + "‘"; string name = Class.Search(sql); Session["name"] = name; Response.Write("<script>alert(‘登录成功!‘);location=‘Space.aspx‘</script>"); } else Response.Write("<script>alert(‘登录失败,请正确填写账号、密码!‘)</script>"); } }
以上是关于参数化查询(简单举例)的主要内容,如果未能解决你的问题,请参考以下文章