SQL 防止注入
var strsql = "insert into Staff_Answer (ExamTitleID,QuestionsID,MultipleChoice,RightOption,AnswerOption,IsRight,Score,StaffScore,Remark,State,Creator,CreatOrg,CreateTime) values";
strsql += "(@ExamTitleID,@QuestionsID,@MultipleChoice,@RightOption,@AnswerOption,@IsRight,@Score,@StaffScore,@Remark,@State,@Creator,@CreatOrg,@CreateTime)";
var cmd = new SqlCommand(strsql);
var param = new SqlParameter[] {
new SqlParameter("@ExamTitleID",SqlDbType.UniqueIdentifier),
new SqlParameter("@QuestionsID",SqlDbType.UniqueIdentifier),
new SqlParameter("@MultipleChoice",SqlDbType.NVarChar,2),
new SqlParameter("@RightOption",SqlDbType.NVarChar,200),
new SqlParameter("@AnswerOption",SqlDbType.NVarChar,200),
new SqlParameter("@IsRight",SqlDbType.NVarChar,2),
new SqlParameter("@Score",SqlDbType.Decimal,18),
new SqlParameter("@StaffScore",SqlDbType.Decimal,18),
new SqlParameter("@Remark",SqlDbType.Text),
new SqlParameter("@State",SqlDbType.NVarChar,2),
new SqlParameter("@Creator",SqlDbType.NVarChar,200),
new SqlParameter("@CreatOrg",SqlDbType.NVarChar,200),
new SqlParameter("@CreateTime",SqlDbType.NVarChar,200)
};
param[0].Value = new Guid(this.ExamTitleCode.Value);
param[1].Value = new Guid(QuestionsID);
param[2].Value = Anserdt.Rows[0]["MultipleChoice"].ToString();
param[3].Value = RightOption;
param[4].Value = AnswerOption;
param[5].Value = ISRight ? "1" : "0";
param[6].Value = Convert.ToInt32(Question.Rows[0]["Score"]);
param[7].Value = ISRight ? Convert.ToInt32(Question.Rows[0]["Score"]) : 0;
param[8].Value = this.Remark.InnerText;
param[9].Value = "1";
param[10].Value = userid;
param[11].Value = Orgname1;
param[12].Value = DateTime.Now;
foreach (SqlParameter para in param)
{
cmd.Parameters.Add(para);
}
helps.GetExecuteNonQueryBySqlPa(cmd);