ado.net中用参数化SQL语句防止SQL注入
用ado.net和数据库打交道,再不用存储过程的时候,使用参数化Sql语句可以在一定程度上防止sql注入。
1 public bool IsInsert(string userName, string password, string remark, string mail, int departId, int power)
2 {
3 string sql = "insert into S_Admin(UserName,Password,Remark,Mail,DepartId,Power)values(@UserName,@Password,@Remark,@Mail,@DepartId,@Power)";
4 SqlConnection connection = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings[""].ToString());
5 SqlCommand command = new SqlCommand(sql, connection);
6 command.Parameters.Add("@UserName",SqlDbType.NVarChar, 60).Value = userName;
7 command.Parameters.Add("@Password", SqlDbType.NVarChar, 60).Value = password;
8 command.Parameters.Add("@Remark", SqlDbType.NVarChar, 60).Value = remark;
9 command.Parameters.Add("@Mail", SqlDbType.NVarChar, 60).Value = mail;
10 command.Parameters.Add("@DepartId", SqlDbType.Int, 4).Value = departId;
11 command.Parameters.Add("@Power", SqlDbType.Int, 4).Value = power;
12 connection.Open();
13 int rowsAffected = command.ExecuteNonQuery();
14 connection.Close();
15 command.Dispose();
16 return rowsAffected > 0;
17
18 }
