(一)防止sql数据库字符串注入攻击:
1.字符串注入攻击实在填写内容是,插入的sql语句,对数据库进行的操作
数据库的攻击就是插入新的sql语句,并对后面的语句进行注销:');update Students set Sname='';--
2.防止字符串注入攻击:
cmd.CommandText = "update Student set Sname = @a", ---- 用占位符进行占位,这样在攻击的时候就会吧攻击的内容当成sql语句内容直接插入到数据库
cmd.Parametrs.Clear();
cmd.Paramerts.AddWithValue("@a",xx);
(二)实体类:就是封装
实体类的名称和数据库表的名称一致,
成员变量与列名一致,在最前面多一个下划线,
成员变量封装出来的属性与列名保持一致
(三)数据访问类
1.就是对数据库表进行操作,单独写成一个类,封装成一些方法,等待调用
命名规则:数据库表名+Data
好处:结构清晰,避免代码重复书写
例:
using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Data.SqlClient; namespace 完整的增删改查.App_code { public class UsersData { SqlConnection conn = null; SqlCommand cmd = null; public UsersData() { conn = new SqlConnection("server=localhost;database=stu0314;user=sa;pwd=13;"); cmd = conn.CreateCommand(); } /// <summary> /// 查询数据的方法 /// </summary> /// <returns></returns> public List<Users> selectAll() { List<Users> ulist = new List<Users>(); cmd.CommandText = "select * from Users"; try { conn.Open(); SqlDataReader dr = cmd.ExecuteReader(); if (dr.HasRows) { while (dr.Read()) { Users u = new Users(); u.Ids = Convert.ToInt32(dr["ids"]); u.UserName = dr["UserName"].ToString(); u.PassWord = dr["PassWord"].ToString(); u.NikeName = dr["NikeName"].ToString(); u.Sex = Convert.ToBoolean(dr["Sex"]); u.Birthday = Convert.ToDateTime(dr["Birthday"]); u.Nation = dr["Nation"].ToString(); u.Class = dr["Class"].ToString(); ulist.Add(u); } } } catch { Console.WriteLine("服务器连接失败"); } conn.Close(); return ulist; } /// <summary> /// 查询数据库中是否有相同的用户名 /// </summary> /// <param name="uname"></param> /// <returns></returns> public bool selectUname(string uname) { bool has = false; cmd.CommandText = "select * from Users where UserName=@a"; cmd.Parameters.Clear(); cmd.Parameters.AddWithValue("@a",uname); conn.Open(); SqlDataReader dr = cmd.ExecuteReader(); if (dr.HasRows) has = true; conn.Close(); return has; } /// <summary> /// 向数据库中插入数据 /// </summary> /// <param name="u">插入的用户信息</param> /// <param name="uname">用户的姓名</param> /// <returns></returns> public bool insert(Users u,string uname) { bool has = false; cmd.CommandText = "insert into Users values(@a,@b,@c,@d,@e,@f,@g)"; cmd.Parameters.Clear(); cmd.Parameters.AddWithValue("@a",uname); cmd.Parameters.AddWithValue("@b",u.PassWord); cmd.Parameters.AddWithValue("@c", u.NikeName); cmd.Parameters.AddWithValue("@d", u.Sex); cmd.Parameters.AddWithValue("@e", u.Birthday); cmd.Parameters.AddWithValue("@f", u.Nation); cmd.Parameters.AddWithValue("@g", u.Class); conn.Open(); int count = cmd.ExecuteNonQuery(); if (count > 0) has = true; conn.Close(); return has; } /// <summary> /// 修改数据库中的信息 /// </summary> /// <param name="u">需要传入要修改的用户信息</param> /// <param name="uname">传入要修改的用户名</param> /// <returns></returns> public bool update(Users u,string uname) { bool has = false; cmd.CommandText = "update Users set PassWord=@a,NikeName=@b,Sex=@c,Birthday=@d,Nation=@e,Class=@f where UserName=@g"; cmd.Parameters.Clear(); cmd.Parameters.AddWithValue("@a",u.PassWord); cmd.Parameters.AddWithValue("@b", u.NikeName); cmd.Parameters.AddWithValue("@c", u.Sex); cmd.Parameters.AddWithValue("@d", u.Birthday); cmd.Parameters.AddWithValue("@e", u.Nation); cmd.Parameters.AddWithValue("@f", u.Class); cmd.Parameters.AddWithValue("@g", uname); conn.Open(); int count = cmd.ExecuteNonQuery(); if (count > 0) has = true; conn.Close(); return has; } public bool delete(string uname) { bool has = false; cmd.CommandText = "delete from Users where UserName=@a"; cmd.Parameters.Clear(); cmd.Parameters.AddWithValue("@a",uname); conn.Open(); int count = cmd.ExecuteNonQuery(); if (count > 0) has = true; conn.Close(); return has; } } }
(四)三层架构开发
界面层 ---- UI层
业务逻辑层 ---- c#代码部分
数据访问层 ---- 实体类与数据访问类(对数据的操作)
(五)属性扩展
封装的时候,成员变量不只有一个属性,,根据需求,可以书写多个
例:
using System; using System.Collections.Generic; using System.Linq; using System.Text; namespace 完整的增删改查.App_code { public class Users { private int _Ids; /// <summary> /// 用户id /// </summary> public int Ids { get { return _Ids; } set { _Ids = value; } } private string _UserName; /// <summary> /// 用户的姓名 /// </summary> public string UserName { get { return _UserName; } set { _UserName = value; } } private string _PassWord; /// <summary> /// 用户的密码 /// </summary> public string PassWord { get { return _PassWord; } set { _PassWord = value; } } private string _NikeName; /// <summary> /// 用户的别称 /// </summary> public string NikeName { get { return _NikeName; } set { _NikeName = value; } } private bool _Sex; /// <summary> /// 用户的性别 /// </summary> public bool Sex { get { return _Sex; } set { _Sex = value; } } /// <summary> /// 性别只读属性,返回男或女 /// </summary> public string SexStr { get { return _Sex?"男":"女";} } private DateTime _Birthday; /// <summary> /// 用户的生日 /// </summary> public DateTime Birthday { get { return _Birthday; } set { _Birthday = value; } } public string BirthdayStr { get { return _Birthday.ToString("yyyy年MM月"); } } private string _Nation; /// <summary> /// 用户的民族 /// </summary> public string Nation { get { return _Nation; } set { _Nation = value; } } /// <summary> /// 民族只读,显示汉字 /// </summary> public string NationName { get { return new NationData().selectNationName(_Nation);//调用方法,把编号对应的民族输出 } } private string _Class; /// <summary> /// 用户的班级 /// </summary> public string Class { get { return _Class; } set { _Class = value; } } /// <summary> /// 班级只读属性,显示汉字 /// </summary> public string ClassName { get { return new ClassData().ClassName(_Class); }//调用方法,把编号对应的班级输出 } } }