数据库SqlParameter 的插入操作,防止sql注入的实现代码

例子：点击Button1按钮的时候就把数据插入数据库中。

复制代码代码如下:

using System;

using System.Collections.Generic;

using System.Linq;

using System.Web;

using System.Web.UI;

using System.Web.UI.WebControls;

using System.Text;

using System.Data.SqlClient;

using System.Data;

using System.Configuration;

namespace ParaMeter

{

public partial class Test : System.Web.UI.Page

{

private string connectionStr; //链接数据库的字符串

private SqlConnection conDB; //数据库的链接

private SqlTransaction _trans; //事务对象

protected void Page_Load(object sender, EventArgs e)

{

//connectionStr = ConfigurationSettings.AppSettings["constr"];

connectionStr = "server=10.11.43.189SQL2008;database=OA_WEB_DB;uid=sa;pwd=123456";

conDB = new SqlConnection(connectionStr);

}

protected void Button1_Click(object sender, EventArgs e)

{

StringBuilder strSql = new StringBuilder();

strSql.Append("INSERT INTO [OA_WEB_DB].[dbo].[OA_RT_FileType]([FileTypeName],[Deleted])");

strSql.Append("VALUES(@fileName,@delete)");

SqlParameter[] parameters = {

new SqlParameter("@fileName", SqlDbType.NVarChar,100),

new SqlParameter("@delete",SqlDbType.Bit),

};

parameters[0].Value = "文件类型";

parameters[1].Value = false;

bool IsSucc = ExecUpdateSql(strSql.ToString(), parameters);

if (IsSucc)

{

Label1.Text = "插入成功";

}

else

{

Label1.Text = "插入失败";

}

/// 执行一条更新语句

/// </summary>

/// <param name="SQLString">需要执行的SQL语句。</param>

/// <param name="cmdParms">执行参数数组</param>

/// <returns>成功返回True，失败返回False。</returns>

private bool ExecUpdateSql(string SQLString, params SqlParameter[] cmdParms)

{

using (SqlCommand cmd = new SqlCommand())

{

try

{

PrepareCommand(cmd, conDB, _trans, SQLString, cmdParms);

int iret = cmd.ExecuteNonQuery();

return true;

}

catch (System.Data.SqlClient.SqlException e)

{

return false;

}

private void PrepareCommand(SqlCommand cmd, SqlConnection conn, SqlTransaction trans, string cmdText, SqlParameter[] cmdParms)

{

if (conn.State != ConnectionState.Open)

conn.Open();

cmd.Connection = conn;

cmd.CommandText = cmdText;

if (trans != null)

cmd.Transaction = trans;

cmd.CommandType = CommandType.Text;//cmdType;

if (cmdParms != null)

{

foreach (SqlParameter parameter in cmdParms)

{

if ((parameter.Direction == ParameterDirection.InputOutput || parameter.Direction == ParameterDirection.Input) &&

(parameter.Value == null))

{

parameter.Value = DBNull.Value;

}

cmd.Parameters.Add(parameter);

}