数据库SqlParameter 的插入操作,防止sql注入的实现代码

using system;
using system.collections.generic;
using system.linq;
using system.web;
using system.web.ui;
using system.web.ui.webcontrols;
using system.text;
using system.data.sqlclient;
using system.data;
using system.configuration;

namespace parameter
{
    public partial class test : system.web.ui.page
    {
        private string connectionstr;  //链接数据库的字符串
        private sqlconnection condb;   //数据库的链接
        private sqltransaction _trans; //事务对象

        protected void page_load(object sender, eventargs e)
        {
            //connectionstr = configurationsettings.appsettings["constr"];
            connectionstr = "server=10.11.43.189\\sql2008;database=oa_web_db;uid=sa;pwd=123456";
            condb = new sqlconnection(connectionstr);
        }

        protected void button1_click(object sender, eventargs e)
        {
            stringbuilder strsql = new stringbuilder();
            strsql.append("insert into [oa_web_db].[dbo].[oa_rt_filetype]([filetypename],[deleted])");
            strsql.append("values(@filename,@delete)");
            sqlparameter[] parameters = {
                                 new sqlparameter("@filename", sqldbtype.nvarchar,100),
                                 new sqlparameter("@delete",sqldbtype.bit),

                             };
            parameters[0].value = "文件类型";
            parameters[1].value = false;
          bool issucc =   execupdatesql(strsql.tostring(), parameters);
          if (issucc)
          {
             label1.text =  "插入成功";
          }
          else
          {
              label1.text = "插入失败";
          }

        }
        /// 执行一条更新语句
        /// </summary>
        /// <param name="sqlstring">需要执行的sql语句。</param>
        /// <param name="cmdparms">执行参数数组</param>
        /// <returns>成功返回true，失败返回false。</returns>
        private bool execupdatesql(string sqlstring, params sqlparameter[] cmdparms)
        {
            using (sqlcommand cmd = new sqlcommand())
            {
                try
                {
                    preparecommand(cmd, condb, _trans, sqlstring, cmdparms);
                    int iret = cmd.executenonquery();
                    return true;
                }
                catch (system.data.sqlclient.sqlexception e)
                {
                    return false;
                }
            }
        }
        private void preparecommand(sqlcommand cmd, sqlconnection conn, sqltransaction trans, string cmdtext, sqlparameter[] cmdparms)
        {
            if (conn.state != connectionstate.open)
                conn.open();
            cmd.connection = conn;
            cmd.commandtext = cmdtext;
            if (trans != null)
                cmd.transaction = trans;
            cmd.commandtype = commandtype.text;//cmdtype;
            if (cmdparms != null)
            {
                foreach (sqlparameter parameter in cmdparms)
                {
                    if ((parameter.direction == parameterdirection.inputoutput || parameter.direction == parameterdirection.input) &&
                        (parameter.value == null))
                    {
                        parameter.value = dbnull.value;
                    }
                    cmd.parameters.add(parameter);
                }
            }
        }

    }
}