样式一(对于传入参数的场景,防止sql攻击):
using CodeReading.Entity; using CodeReading.Entity.Comm; using CodeReading.Entity.History; using System; using System.Collections.Generic; using System.Configuration; using System.Data.SqlClient; using System.Linq; using System.Text;namespace CodeReading.View.DAL { public class HistoryDAL { // 数据取得 private static string connectionString = ConfigurationManager.ConnectionStrings["ConnectionStrings"].ConnectionString; public SearchResult Search(SearchConditions searchConditions) { using (var conn = new SqlConnection(connectionString)) using (var cmd = new SqlCommand()) { cmd.Connection = conn; // SQL参数生成 StringBuilder sql = new StringBuilder(); // SELECT DbId,OtherID,Signed,TagCode,ScanDate,Pass,FileName FROM dbo.Used sql.AppendLine(" SELECT "); sql.AppendLine(" ,DbId"); // 表单类型 sql.AppendLine(" ,FileName"); // 图片名 sql.AppendLine(" FROM "); sql.AppendLine(" dbo.Used "); // Used表 sql.AppendLine(" Where "); sql.AppendLine(" ScanDate >= @hsDtpFrom "); // 扫描开始时刻 sql.AppendLine(" And ScanDate <= @hsDtpTo "); // 扫描结束时刻 cmd.Parameters.Add("@hsDtpFrom", searchConditions.HsDtpFrom); // 扫描开始时刻 赋值 cmd.Parameters.Add("@hsDtpTo", searchConditions.HsDtpTo); // 扫描结束时刻 赋值 // "表单类型"有值时 if (!string.IsNullOrEmpty(searchConditions.HsDbId)) { sql.AppendLine(" And DbId = @hsDbId "); // 表单类型 cmd.Parameters.Add("@hsDbId", searchConditions.HsDbId); // 表单类型 赋值 }// 数据取得 cmd.CommandText = sql.ToString(); using (SqlDataAdapter reader = new SqlDataAdapter(cmd)) { var result = new SearchResult(); result.Suceeded = true; var errorInfo = new ErrorInfo(); result.ErrorInfo = errorInfo; var dt = new HistoryDataSet.SearchListDataTable(); reader.Fill(dt); result.SearchData = dt; reusing CodeReading.Entity;
return result;
....
规范二(适合安全可控的程序的接口):
1 using System; 2 3 public class Class1 4 { 5 public void CV() 6 { 7 StringBuilder sUMresult = new StringBuilder(); 8 9 using (SqlConnection conn = new SqlConnection(Appconfig.GetMSStr())) 10 { 11 conn.Open(); 12 using (SqlTransaction trans = conn.BeginTransaction()) 13 { 14 try 15 { 16 SqlCommand cmd = new SqlCommand(); 17 cmd.Connection = conn; 18 cmd.Transaction = trans; 19 20 StringBuilder resultlog = new StringBuilder(); 21 string chksql = ""; 22 23 // sql1 24 chksql = @"delete from table where Work='{1}'"; 25 chksql += @" and LotNO in (select * from table where id='{0}')"; 26 chksql = string.Format(chksql, idstr, workstr); 27 resultlog.AppendLine(" sql:" + chksql); 28 cmd.CommandText = chksql; 29 cmd.ExecuteNonQuery(); 30 31 //sql2略 32 33 trans.Commit(); 34 35 resultlog.AppendLine("删除执行完毕"); 36 Appconfig.WriteLogFile(resultlog.ToString(), "删除日志"); 37 38 result.Code = 0; 39 result.ResMsg = "删除成功"; 40 result.IsSuccess = true; 41 #region 42 #endregion 43 } 44 catch (Exception ex) 45 { 46 trans.Rollback(); 47 48 result.Code = -1; 49 result.ResMsg = ex.Message; 50 sUMresult.AppendLine("ID:" + idstr + "+Work:" + workstr + ",删除出错" + ex.Message); 51 result.IsSuccess = false; 52 53 StringBuilder str = new StringBuilder(); 54 str.AppendLine("ID:" + idstr); 55 str.AppendLine("Work:" + workstr); 56 str.AppendLine("删除出错:" + ex.Message); 57 Appconfig.WriteLogFile(str.ToString(), "删除日志"); 58 } 59 } 60 conn.Close(); 61 } 62 } 63 }