sql 防注入插入_.NET_编程开发_程序员俱乐部

中国优秀的程序员网站程序员频道CXYCLUB技术地图
热搜:
更多>>
 
您所在的位置: 程序员俱乐部 > 编程开发 > .NET > sql 防注入插入

sql 防注入插入

 2015/3/20 2:50:36  嘿嘿v8v  程序员俱乐部  我要评论(0)
  • 摘要:1varstrsql="insertintoStaff_Answer(ExamTitleID,QuestionsID,MultipleChoice,RightOption,AnswerOption,IsRight,Score,StaffScore,Remark,State,Creator,CreatOrg,CreateTime)values";2strsql+="(@ExamTitleID,@QuestionsID,@MultipleChoice,@RightOption
  • 标签:SQL
class="code_img_closed" src="/Upload/Images/2015032002/0015B68B3C38AA5B.gif" alt="" />logs_code_hide('a66fe000-b209-4c2e-863b-ce8c81af7790',event)" src="/Upload/Images/2015032002/2B1B950FA3DF188F.gif" alt="" />
 1  var strsql = "insert into Staff_Answer (ExamTitleID,QuestionsID,MultipleChoice,RightOption,AnswerOption,IsRight,Score,StaffScore,Remark,State,Creator,CreatOrg,CreateTime) values";
 2             strsql += "(@ExamTitleID,@QuestionsID,@MultipleChoice,@RightOption,@AnswerOption,@IsRight,@Score,@StaffScore,@Remark,@State,@Creator,@CreatOrg,@CreateTime)";
 3             var cmd = new SqlCommand(strsql);
 4             var param = new SqlParameter[] { 
 5                                                 new SqlParameter("@ExamTitleID",SqlDbType.UniqueIdentifier),
 6                                                 new SqlParameter("@QuestionsID",SqlDbType.UniqueIdentifier),
 7                                                 new SqlParameter("@MultipleChoice",SqlDbType.NVarChar,2),
 8                                                 new SqlParameter("@RightOption",SqlDbType.NVarChar,200),
 9                                                 new SqlParameter("@AnswerOption",SqlDbType.NVarChar,200),
10                                                 new SqlParameter("@IsRight",SqlDbType.NVarChar,2),
11                                                 new SqlParameter("@Score",SqlDbType.Decimal,18),
12                                                 new SqlParameter("@StaffScore",SqlDbType.Decimal,18),
13                                                 new SqlParameter("@Remark",SqlDbType.Text),
14                                                 new SqlParameter("@State",SqlDbType.NVarChar,2),
15                                                 new SqlParameter("@Creator",SqlDbType.NVarChar,200),
16                                                 new SqlParameter("@CreatOrg",SqlDbType.NVarChar,200),
17                                                 new SqlParameter("@CreateTime",SqlDbType.NVarChar,200)
18                                             };
19 
20 
21             param[0].Value = new Guid(this.ExamTitleCode.Value);
22             param[1].Value = new Guid(QuestionsID);
23             param[2].Value = Anserdt.Rows[0]["MultipleChoice"].ToString();
24             param[3].Value = RightOption;
25             param[4].Value = AnswerOption;
26             param[5].Value = ISRight ? "1" : "0";
27             param[6].Value = Convert.ToInt32(Question.Rows[0]["Score"]);
28             param[7].Value = ISRight ? Convert.ToInt32(Question.Rows[0]["Score"]) : 0;
29             param[8].Value = this.Remark.InnerText;
30             param[9].Value = "1";
31             param[10].Value = userid;
32             param[11].Value = Orgname1;
33             param[12].Value = DateTime.Now;
34 
35             foreach (SqlParameter para in param)
36             {
37                 cmd.Parameters.Add(para);
38             }
39            helps.GetExecuteNonQueryBySqlPa(cmd);
40         }
View Code

感谢同事给我提供的内容

发表评论
用户名: 匿名