SQL 注入 参数化

StringBuilder sbSelect = new StringBuilder();

System.Data.OracleClient.OracleParameter[] parms = { };
ArrayList listParms = new ArrayList();
string sqlgetobject = "select t.* from table t where t.id= :ID ";
listParms.Add(new System.Data.OracleClient.OracleParameter(":ID ", this.ID));
parms = (System.Data.OracleClient.OracleParameter[])listParms.ToArray(typeof(System.Data.OracleClient.OracleParameter));

DataTable dteval = bll.GetbySql(sqlgetobject, parms);

posted @ 2019-12-31 11:21  二零一七  阅读(196)  评论(0编辑  收藏  举报