C#-sql语句规范

样式一(对于传入参数的场景,防止sql攻击):

using CodeReading.Entity;
using CodeReading.Entity.Comm;
using CodeReading.Entity.History;
using System;
using System.Collections.Generic;
using System.Configuration;
using System.Data.SqlClient;
using System.Linq;
using System.Text;namespace CodeReading.View.DAL
{
    public class HistoryDAL
    {
        // 数据取得
        private static string connectionString = ConfigurationManager.ConnectionStrings["ConnectionStrings"].ConnectionString;

    
        public SearchResult Search(SearchConditions searchConditions)
        {
            using (var conn = new SqlConnection(connectionString))
            using (var cmd = new SqlCommand())
            {
                cmd.Connection = conn;

                // SQL参数生成
                StringBuilder sql = new StringBuilder();
                // SELECT DbId,OtherID,Signed,TagCode,ScanDate,Pass,FileName FROM dbo.Used
                sql.AppendLine(" SELECT ");
                sql.AppendLine("    ,DbId");                                                             // 表单类型
                sql.AppendLine("    ,FileName");                                                         // 图片名
                sql.AppendLine("  FROM   ");
                sql.AppendLine("      dbo.Used ");                                                       // Used表
                sql.AppendLine("  Where   ");
                sql.AppendLine("       ScanDate >= @hsDtpFrom ");                  // 扫描开始时刻
                sql.AppendLine("   And ScanDate <= @hsDtpTo ");                    // 扫描结束时刻
                cmd.Parameters.Add("@hsDtpFrom", searchConditions.HsDtpFrom);         // 扫描开始时刻 赋值
                cmd.Parameters.Add("@hsDtpTo", searchConditions.HsDtpTo);             // 扫描结束时刻 赋值
                // "表单类型"有值时
                if (!string.IsNullOrEmpty(searchConditions.HsDbId))
                {
                    sql.AppendLine("   And  DbId = @hsDbId ");                      // 表单类型
                    cmd.Parameters.Add("@hsDbId", searchConditions.HsDbId);           // 表单类型 赋值
                }// 数据取得
                cmd.CommandText = sql.ToString();
                using (SqlDataAdapter reader = new SqlDataAdapter(cmd))
                {
                    var result = new SearchResult();
                    result.Suceeded = true;
                    var errorInfo = new ErrorInfo();
                    result.ErrorInfo = errorInfo;

                    var dt = new HistoryDataSet.SearchListDataTable();
                    reader.Fill(dt);
                    result.SearchData = dt;
                    reusing CodeReading.Entity;

return result;
....

样式二(适合安全可控的程序的接口):

 1 using System;
 2 
 3 public class Class1
 4 {
 5     public void CV()
 6     {
 7         StringBuilder sUMresult = new StringBuilder();
 8 
 9         using (SqlConnection conn = new SqlConnection(Appconfig.GetMSStr()))
10         {
11             conn.Open();
12             using (SqlTransaction trans = conn.BeginTransaction())
13             {
14                 try
15                 {
16                     SqlCommand cmd = new SqlCommand();
17                     cmd.Connection = conn;
18                     cmd.Transaction = trans;
19 
20                     StringBuilder resultlog = new StringBuilder();
21                     string chksql = "";
22 
23                     // sql1
24                     chksql = @"delete from table where Work='{1}'";
25                     chksql += @" and LotNO in (select * from table where id='{0}')";
26                     chksql = string.Format(chksql, idstr, workstr);
27                     resultlog.AppendLine(" sql:" + chksql);
28                     cmd.CommandText = chksql;
29                     cmd.ExecuteNonQuery();
30 
31                     //sql2略
32 
33                     trans.Commit();
34 
35                     resultlog.AppendLine("删除执行完毕");
36                     Appconfig.WriteLogFile(resultlog.ToString(), "删除日志");
37 
38                     result.Code = 0;
39                     result.ResMsg = "删除成功";
40                     result.IsSuccess = true;
41                     #region
42                     #endregion
43                 }
44                 catch (Exception ex)
45                 {
46                     trans.Rollback();
47 
48                     result.Code = -1;
49                     result.ResMsg = ex.Message;
50                     sUMresult.AppendLine("ID:" + idstr + "+Work:" + workstr + ",删除出错" + ex.Message);
51                     result.IsSuccess = false;
52 
53                     StringBuilder str = new StringBuilder();
54                     str.AppendLine("ID:" + idstr);
55                     str.AppendLine("Work:" + workstr);
56                     str.AppendLine("删除出错:" + ex.Message);
57                     Appconfig.WriteLogFile(str.ToString(), "删除日志");
58                 }
59             }
60             conn.Close();
61         }
62     }
63 }

 

posted @ 2021-10-13 10:54  ꧁执笔小白꧂  阅读(288)  评论(0编辑  收藏  举报