你的位置:首页 > ASP.net教程

[ASP.net教程]sql 防注入插入


 1 var strsql = "insert into Staff_Answer (ExamTitleID,QuestionsID,MultipleChoice,RightOption,AnswerOption,IsRight,Score,StaffScore,Remark,State,Creator,CreatOrg,CreateTime) values"; 2       strsql += "(@ExamTitleID,@QuestionsID,@MultipleChoice,@RightOption,@AnswerOption,@IsRight,@Score,@StaffScore,@Remark,@State,@Creator,@CreatOrg,@CreateTime)"; 3       var cmd = new SqlCommand(strsql); 4       var param = new SqlParameter[] {  5                         new SqlParameter("@ExamTitleID",SqlDbType.UniqueIdentifier), 6                         new SqlParameter("@QuestionsID",SqlDbType.UniqueIdentifier), 7                         new SqlParameter("@MultipleChoice",SqlDbType.NVarChar,2), 8                         new SqlParameter("@RightOption",SqlDbType.NVarChar,200), 9                         new SqlParameter("@AnswerOption",SqlDbType.NVarChar,200),10                         new SqlParameter("@IsRight",SqlDbType.NVarChar,2),11                         new SqlParameter("@Score",SqlDbType.Decimal,18),12                         new SqlParameter("@StaffScore",SqlDbType.Decimal,18),13                         new SqlParameter("@Remark",SqlDbType.Text),14                         new SqlParameter("@State",SqlDbType.NVarChar,2),15                         new SqlParameter("@Creator",SqlDbType.NVarChar,200),16                         new SqlParameter("@CreatOrg",SqlDbType.NVarChar,200),17                         new SqlParameter("@CreateTime",SqlDbType.NVarChar,200)18                       };19 20 21       param[0].Value = new Guid(this.ExamTitleCode.Value);22       param[1].Value = new Guid(QuestionsID);23       param[2].Value = Anserdt.Rows[0]["MultipleChoice"].ToString();24       param[3].Value = RightOption;25       param[4].Value = AnswerOption;26       param[5].Value = ISRight ? "1" : "0";27       param[6].Value = Convert.ToInt32(Question.Rows[0]["Score"]);28       param[7].Value = ISRight ? Convert.ToInt32(Question.Rows[0]["Score"]) : 0;29       param[8].Value = this.Remark.InnerText;30       param[9].Value = "1";31       param[10].Value = userid;32       param[11].Value = Orgname1;33       param[12].Value = DateTime.Now;34 35       foreach (SqlParameter para in param)36       {37         cmd.Parameters.Add(para);38       }39       helps.GetExecuteNonQueryBySqlPa(cmd);40     }

View Code

感谢同事给我提供的内容