数据库SqlParameter 的插入操作,防止sql注入的实现代码
例子: 点击button1按钮的时候就把数据插入数据库中。
using system;
using system.collections.generic;
using system.linq;
using system.web;
using system.web.ui;
using system.web.ui.webcontrols;
using system.text;
using system.data.sqlclient;
using system.data;
using system.configuration;
namespace parameter
{
public partial class test : system.web.ui.page
{
private string connectionstr; //链接数据库的字符串
private sqlconnection condb; //数据库的链接
private sqltransaction _trans; //事务对象
protected void page_load(object sender, eventargs e)
{
//connectionstr = configurationsettings.appsettings["constr"];
connectionstr = "server=10.11.43.189\\sql2008;database=oa_web_db;uid=sa;pwd=123456";
condb = new sqlconnection(connectionstr);
}
protected void button1_click(object sender, eventargs e)
{
stringbuilder strsql = new stringbuilder();
strsql.append("insert into [oa_web_db].[dbo].[oa_rt_filetype]([filetypename],[deleted])");
strsql.append("values(@filename,@delete)");
sqlparameter[] parameters = {
new sqlparameter("@filename", sqldbtype.nvarchar,100),
new sqlparameter("@delete",sqldbtype.bit),
};
parameters[0].value = "文件类型";
parameters[1].value = false;
bool issucc = execupdatesql(strsql.tostring(), parameters);
if (issucc)
{
label1.text = "插入成功";
}
else
{
label1.text = "插入失败";
}
}
/// 执行一条更新语句
/// </summary>
/// <param name="sqlstring">需要执行的sql语句。</param>
/// <param name="cmdparms">执行参数数组</param>
/// <returns>成功返回true,失败返回false。</returns>
private bool execupdatesql(string sqlstring, params sqlparameter[] cmdparms)
{
using (sqlcommand cmd = new sqlcommand())
{
try
{
preparecommand(cmd, condb, _trans, sqlstring, cmdparms);
int iret = cmd.executenonquery();
return true;
}
catch (system.data.sqlclient.sqlexception e)
{
return false;
}
}
}
private void preparecommand(sqlcommand cmd, sqlconnection conn, sqltransaction trans, string cmdtext, sqlparameter[] cmdparms)
{
if (conn.state != connectionstate.open)
conn.open();
cmd.connection = conn;
cmd.commandtext = cmdtext;
if (trans != null)
cmd.transaction = trans;
cmd.commandtype = commandtype.text;//cmdtype;
if (cmdparms != null)
{
foreach (sqlparameter parameter in cmdparms)
{
if ((parameter.direction == parameterdirection.inputoutput || parameter.direction == parameterdirection.input) &&
(parameter.value == null))
{
parameter.value = dbnull.value;
}
cmd.parameters.add(parameter);
}
}
}
}
}