你的位置:首页 > ASP.net教程

[ASP.net教程]SqlCommand参数化查询

string strcon = "Persist Security Info=False;User id=sa;pwd=lovemary;database=student;server=(local) ";
SqlConnection sql = new SqlConnection(strcon);
sql.Open();
SqlCommand com = new SqlCommand();

com.Connection = sql;

com.CommandText = "delete from XSB where XH ='"+tbXH.text+"'";

直接这样赋值会导致一个什么问题呢?比如用户在tbXH(textbox属性名)中输入”  1‘or‘1’=’1‘  “;

这样就会导致这句SQL语句,永远成立,如delete from XSB where XH ='1’or‘1’=‘1’  会导致删掉表中所有记录

如何解决呢?

用参数化查询:

com.CommandText = "delete from XSB where XH = @XH";

com.Parameters.Add(new SqlParameter("@XH",tbXH.text));

以下几种SQL语句均可用参数化查询

"delete from XSB where XH = @XH"

"INSERT INTO XSB(XH,XM,XB,CSRQ,ZY,ZXF)VALUES(@Name,@Age,.... )"

"select.....where = @.."

"update ...set Age = @.."