怎么防止C#中sql注入
展开全部
通过参数传哗亮递:
string sql = "select count(*) from zhuce where username=@username and pwd=@pwd and type = @type";
SqlConnection conn = new SqlConnection(Common.Context.SqlManager.CONN_STRING);
conn.Open();
SqlCommand cmd = new SqlCommand(sql, conn);
cmd.Parameters.Add("@username",SqlDbType.VarChar,30);
cmd.Parameters.Add("@pwd",SqlDbType.VarChar,30);
cmd.Parameters.Add("@type",SqlDbType.VarChar,10);
cmd.Parameters["乎芦中@username"].Value = username;
cmd.Parameters["@pwd"].Value = pwd;
cmd.Parameters["@type"岁山].Value = power.Text;
int count = Convert.ToInt32(cmd.ExecuteScalar());
conn.Close();
string sql = "select count(*) from zhuce where username=@username and pwd=@pwd and type = @type";
SqlConnection conn = new SqlConnection(Common.Context.SqlManager.CONN_STRING);
conn.Open();
SqlCommand cmd = new SqlCommand(sql, conn);
cmd.Parameters.Add("@username",SqlDbType.VarChar,30);
cmd.Parameters.Add("@pwd",SqlDbType.VarChar,30);
cmd.Parameters.Add("@type",SqlDbType.VarChar,10);
cmd.Parameters["乎芦中@username"].Value = username;
cmd.Parameters["@pwd"].Value = pwd;
cmd.Parameters["@type"岁山].Value = power.Text;
int count = Convert.ToInt32(cmd.ExecuteScalar());
conn.Close();
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
推荐律师服务:
若未解决您的问题,请您详细描述您的问题,通过百度律临进行免费专业咨询
