防止注入

protected int Mylogin(string table,string name,string pwd)
    {
       string  MyConnectionString = System.Configuration.ConfigurationManager.ConnectionStrings["SMS"].ConnectionString;
       SqlConnection conn = new SqlConnection(MyConnectionString);
       conn.Open();
        string strSql = "";
        if (table == "admin")
        {
            strSql += "select * from " + table + " where name = @name and pwd = @pwd ";
        }
        else 
        {
            strSql += "select * from logininfo where name=@name and password = @pwd and type='2' ";
        }

        SqlCommand cmd = new SqlCommand(strSql, conn);
        cmd.Parameters.Add("name", System.Data.SqlDbType.Char, 20).Value = name;
        cmd.Parameters.Add("pwd", System.Data.SqlDbType.Char, 20).Value = pwd;
        int i = Convert.ToInt32(cmd.ExecuteScalar());
        cmd.Dispose();
        conn.Close();
        conn.Dispose();
        return i; 
      
    }
posted @ 2011-05-15 13:11  sirzxj  阅读(131)  评论(0编辑  收藏  举报