C#-sql语句规范
样式一(对于传入参数的场景,防止sql攻击):
using CodeReading.Entity; using CodeReading.Entity.Comm; using CodeReading.Entity.History; using System; using System.Collections.Generic; using System.Configuration; using System.Data.SqlClient; using System.Linq; using System.Text;namespace CodeReading.View.DAL { public class HistoryDAL { // 数据取得 private static string connectionString = ConfigurationManager.ConnectionStrings["ConnectionStrings"].ConnectionString; public SearchResult Search(SearchConditions searchConditions) { using (var conn = new SqlConnection(connectionString)) using (var cmd = new SqlCommand()) { cmd.Connection = conn; // SQL参数生成 StringBuilder sql = new StringBuilder(); // SELECT DbId,OtherID,Signed,TagCode,ScanDate,Pass,FileName FROM dbo.Used sql.AppendLine(" SELECT "); sql.AppendLine(" ,DbId"); // 表单类型 sql.AppendLine(" ,FileName"); // 图片名 sql.AppendLine(" FROM "); sql.AppendLine(" dbo.Used "); // Used表 sql.AppendLine(" Where "); sql.AppendLine(" ScanDate >= @hsDtpFrom "); // 扫描开始时刻 sql.AppendLine(" And ScanDate <= @hsDtpTo "); // 扫描结束时刻 cmd.Parameters.Add("@hsDtpFrom", searchConditions.HsDtpFrom); // 扫描开始时刻 赋值 cmd.Parameters.Add("@hsDtpTo", searchConditions.HsDtpTo); // 扫描结束时刻 赋值 // "表单类型"有值时 if (!string.IsNullOrEmpty(searchConditions.HsDbId)) { sql.AppendLine(" And DbId = @hsDbId "); // 表单类型 cmd.Parameters.Add("@hsDbId", searchConditions.HsDbId); // 表单类型 赋值 }// 数据取得 cmd.CommandText = sql.ToString(); using (SqlDataAdapter reader = new SqlDataAdapter(cmd)) { var result = new SearchResult(); result.Suceeded = true; var errorInfo = new ErrorInfo(); result.ErrorInfo = errorInfo; var dt = new HistoryDataSet.SearchListDataTable(); reader.Fill(dt); result.SearchData = dt; reusing CodeReading.Entity;
return result;
....
样式二(适合安全可控的程序的接口):
1 using System; 2 3 public class Class1 4 { 5 public void CV() 6 { 7 StringBuilder sUMresult = new StringBuilder(); 8 9 using (SqlConnection conn = new SqlConnection(Appconfig.GetMSStr())) 10 { 11 conn.Open(); 12 using (SqlTransaction trans = conn.BeginTransaction()) 13 { 14 try 15 { 16 SqlCommand cmd = new SqlCommand(); 17 cmd.Connection = conn; 18 cmd.Transaction = trans; 19 20 StringBuilder resultlog = new StringBuilder(); 21 string chksql = ""; 22 23 // sql1 24 chksql = @"delete from table where Work='{1}'"; 25 chksql += @" and LotNO in (select * from table where id='{0}')"; 26 chksql = string.Format(chksql, idstr, workstr); 27 resultlog.AppendLine(" sql:" + chksql); 28 cmd.CommandText = chksql; 29 cmd.ExecuteNonQuery(); 30 31 //sql2略 32 33 trans.Commit(); 34 35 resultlog.AppendLine("删除执行完毕"); 36 Appconfig.WriteLogFile(resultlog.ToString(), "删除日志"); 37 38 result.Code = 0; 39 result.ResMsg = "删除成功"; 40 result.IsSuccess = true; 41 #region 42 #endregion 43 } 44 catch (Exception ex) 45 { 46 trans.Rollback(); 47 48 result.Code = -1; 49 result.ResMsg = ex.Message; 50 sUMresult.AppendLine("ID:" + idstr + "+Work:" + workstr + ",删除出错" + ex.Message); 51 result.IsSuccess = false; 52 53 StringBuilder str = new StringBuilder(); 54 str.AppendLine("ID:" + idstr); 55 str.AppendLine("Work:" + workstr); 56 str.AppendLine("删除出错:" + ex.Message); 57 Appconfig.WriteLogFile(str.ToString(), "删除日志"); 58 } 59 } 60 conn.Close(); 61 } 62 } 63 }
本文来自博客园,作者:꧁执笔小白꧂,转载请注明原文链接:https://www.cnblogs.com/qq2806933146xiaobai/p/15401126.html
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· AI与.NET技术实操系列:基于图像分类模型对图像进行分类
· go语言实现终端里的倒计时
· 如何编写易于单元测试的代码
· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
· .NET Core 中如何实现缓存的预热?
· 分享一个免费、快速、无限量使用的满血 DeepSeek R1 模型,支持深度思考和联网搜索!
· 基于 Docker 搭建 FRP 内网穿透开源项目(很简单哒)
· ollama系列01:轻松3步本地部署deepseek,普通电脑可用
· 25岁的心里话
· 按钮权限的设计及实现