参数化SQL语句一定程度上防止SQL注入

public bool InsertAdmin(string userName, string password, string remark, string mail, int departId, int power)
{
        string sql = "insert into S_Admin(UserName,Password,Remark,Mail,DepartId,Power)values(@UserName,@Password,@Remark,@Mail,@DepartId,@Power)";
        SqlConnection connection = new SqlConnection();
        connection.ConnectionString = "";//此处设置链接字符串
        SqlCommand command = new SqlCommand(sql, connection);
        command.Parameters.Add("@UserName",SqlDbType.NVarChar, 60).Value = userName;

        command.Parameters.Add("@Password", SqlDbType.NVarChar, 60).Value = password;
        command.Parameters.Add("@Remark", SqlDbType.NVarChar, 60).Value = remark;
        command.Parameters.Add("@Mail", SqlDbType.NVarChar, 60).Value = mail;

command.Parameters.Add("@DepartId", SqlDbType.Int, 4).Value = departId;
command.Parameters.Add("@Power", SqlDbType.Int, 4).Value = power;

        connection.Open();
        int rowsAffected = command.ExecuteNonQuery();        connection.Close();        command.Dispose();
        return rowsAffected > 0;
    }
}

posted @ 2009-07-17 22:34 小白.net 阅读(746) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

小白.net

OO是我们的目标,设计模式是我们的做法

参数化SQL语句一定程度上防止SQL注入

公告