zoukankan      html  css  js  c++  java
  • C#中SqlParameter

    一般来说,在更新DataTable或是DataSet时,如果不采用SqlParameter,那么当输入的Sql语句出现歧义时,如字符串中含有单引号,程序就会发生错误,并且他人可以轻易地通过拼接Sql语句来进行注入攻击。

     1 string sql = "update Table1 set name = 'Pudding' where ID = '1'";//未采用SqlParameter
     2 SqlConnection conn = new SqlConnection();
     3 conn.ConnectionString = "Data Source=.\\SQLExpress;Integrated Security=true;AttachDbFilename=|DataDirectory|\\Database.mdf;User Instance=true";//连接字符串与数据库有关
     4 SqlCommand cmd = new SqlCommand(sql, conn);
     5 try
     6 {
     7     conn.Open();
     8     return(cmd.ExecuteNonQuery());
     9 }
    10 catch (Exception)
    11 {
    12     return -1;
    13     throw;
    14 }
    15 finally
    16 {
    17     conn.Close();
    18 }

    上述代码未采用SqlParameter,除了存在安全性问题,该方法还无法解决二进制流的更新,如图片文件。通过使用SqlParameter可以解决上述问题,常见的使用方法有两种,Add方法和AddRange方法。

    一、Add方法

    1 SqlParameter sp = new SqlParameter("@name","Pudding");
    2 cmd.Parameters.Add(sp);
    3 sp = new SqlParameter("@ID","1");
    4 cmd.Parameters.Add(sp);

      该方法每次只能添加一个SqlParameter。上述代码的功能是将ID值等于1的字段name更新为Pudding(人名)。

    二、AddRange方法

    SqlParameter[] paras = new SqlParameter[] { new SqlParameter("@name","Pudding"),new SqlParameter("@ID","1") };cmd.Parameters.AddRange(paras);

    或者直接用占位符替换

    1 SqlDBConnect sqldbc = new SqlDBConnect();
    2 string sql_select = "select PassWord from T_Admin where AdminId =@AdminId and Password=@Password";
    3 SqlParameter[] parms = new SqlParameter[]
    4 {
    5 new SqlParameter("@AdminId",AdminId),
    6 new SqlParameter("@Password",PassWord)
    7 };
    8 DataTable dt = sqldbc.GetDataTable(sql_select,parms); //自定义方法获取数据库表
      显然,Add方法在添加多个SqlParameter时不方便,此时,可以采用AddRange方法。
      下面是通过SqlParameter向数据库存储及读取图片的代码。
    public int SavePhoto(string photourl)
    {
        FileStream fs = new FileStream(photourl, FileMode.Open, FileAccess.Read);//创建FileStream对象,用于向BinaryReader写入字节数据流
        BinaryReader br = new BinaryReader(fs);//创建BinaryReader对象,用于写入下面的byte数组
        byte[] photo = br.ReadBytes((int)fs.Length);//新建byte数组,写入br中的数据
        br.Close();//记得要关闭br
        fs.Close();//还有fs
        string sql = "update Table1 set photo = @photo where ID = '0'";
        SqlConnection conn = new SqlConnection();
        conn.ConnectionString = "Data Source=.\\SQLExpress;Integrated Security=true;AttachDbFilename=|DataDirectory|\\Database.mdf;User Instance=true";
        SqlCommand cmd = new SqlCommand(sql, conn);
        SqlParameter sp = new SqlParameter("@photo", photo);
        cmd.Parameters.Add(sp);
        try
        {
            conn.Open();
            return (cmd.ExecuteNonQuery());
        }
        catch (Exception)
        {
            return -1;
            throw;
        }
        finally
        {
            conn.Close();
        }
    }
    public void ReadPhoto(string url)
        {
            string sql = "select photo from Table1 where ID = '0'";
            SqlConnection conn = new SqlConnection();
            conn.ConnectionString = "Data Source=.\\SQLExpress;Integrated Security=true;AttachDbFilename=|DataDirectory|\\Database.mdf;User Instance=true";
            SqlCommand cmd = new SqlCommand(sql, conn);
            try
            {
                conn.Open();
                SqlDataReader reader = cmd.ExecuteReader();//采用SqlDataReader的方法来读取数据
                if (reader.Read())
                {
                    byte[] photo = reader[0] as byte[];//将第0列的数据写入byte数组
    
                    FileStream fs = new FileStream(url,FileMode.CreateNew);创建FileStream对象,用于写入字节数据流
    
                    fs.Write(photo,0,photo.Length);//将byte数组中的数据写入fs
    
                    fs.Close();//关闭fs
                }
                reader.Close();//关闭reader
            }
            catch (Exception ex)
            {
                throw;
            }
            finally
            {
                conn.Close();
            }    
    }}

     

    原文地址:https://zm8.sm-tc.cn/?src=l4uLj8XQ0J2TkJjRnIybkdGRmovQhYWPoMvPzM7Hy8nGzdCejYuWnJOa0Juai56Wk4zQx8%2FGzcvPxw%3D%3D&uid=c85fb6bee14183fe155a81ee7fbc0f17&restype=1&from=derive&depth=3&link_type=60&wap=false&v=1&uc_clicks=bTkwABQZYvr027MJuObDnjF8cvUeFEuFknie33OVUBUg39La4LuPK8s%3D
  • 相关阅读:
    PAIRING WORKFLOW MANAGER 1.0 WITH SHAREPOINT 2013
    Education resources from Microsoft
    upgrade to sql server 2012
    ULSViewer sharepoint 2013 log viewer
    Top 10 Most Valuable Microsoft SharePoint 2010 Books
    讨论 Setsockopt选项
    使用 Alchemy 技术编译 C 语言程序为 Flex 可调用的 SWC
    Nagle's algorithm
    Nagle算法 TCP_NODELAY和TCP_CORK
    Design issues Sending small data segments over TCP with Winsock
  • 原文地址:https://www.cnblogs.com/lql6/p/7654977.html
Copyright © 2011-2022 走看看