黑马程序员 参数化查询避免SQL注入漏洞攻击
1 using (SqlConnection conn = new SqlConnection("Data Source=.; Initial Catalog=MyTest;User ID=sa;Password=123456")) 2 { 3 conn.Open(); 4 using (SqlCommand cmd = conn.CreateCommand()) 5 { 6 // 输入 1' or '1'='1 会造成SQL注入漏洞 7 // cmd.CommandText = "select age from T_STudent where Name='"+txtName.Text+"'"; 8 9 cmd.CommandText = "select age from T_Student where Name=@Name or Age>@aaa"; 10 11 12 cmd.Parameters.Add(new SqlParameter("@Name", txtName.Text)); 13 cmd.Parameters.Add(new SqlParameter("@aaa" 14 , Convert.ToInt32(txtAGe.Text))); 15 //insert into .... values(@Name,@Age) 16 //delete .... where Id=@HahahId 17 //update t1 set Age=@myage 18 19 //@参数不能用来替换表名、字段名、select之类的关键字等 20 //cmd.CommandText = "select age from @TableName"; 21 //cmd.Parameters.Add(new SqlParameter("@TableName", "T_Student")); 22 23 //cmd.Parameters.Add(new SqlParameter("@Name", txtName));//初学者不要写错成这样 24 using (SqlDataReader reader = cmd.ExecuteReader()) 25 { 26 while (reader.Read()) 27 { 28 //GetInt32获得的是int类型 29 //GetInt64获得的是long类型(数据库中是bigint) 30 int age = reader.GetInt32(0); 31 MessageBox.Show(age.ToString()); 32 } 33 } 34 } 35 } 36