字符串攻防、实体类、数据访问类

一、字符串攻防

数据库入侵最简单的是字符串入侵，其基本思想是，在输入内容后拼接侵入语句

例 ：

//侵入
            cmd.CommandText = "insert into User values('a');update User set name='jnmks';--');"
                //防守
                cmd.CommandText = "insert into User values(@a);"

                    cmd.Parameters.AddWithValue("@a",name);

二、实体类

实体类是用于对必须存储的信息和相关行为建模的类。即：对数据库进行操作将表名定义为类，列名定义为成员变量及属性

例：

 public class User
    {
        private int _Ids;
        public int Ids
        {
            get { return _Ids; }
            set { _Ids = value; }
        }
        private string _UserName;

        public string UserName
        {
            get { return _UserName; }
            set { _UserName = value; }
        }
        private string _PassWord;

        public string PassWord
        {
            get { return _PassWord; }
            set { _PassWord = value; }
        }
        private string _NickName;

        public string NickName
        {
            get { return _NickName; }
            set { _NickName = value; }
        }
        private bool _Sex;

        public bool Sex
        {
            get { return _Sex; }
            set { _Sex = value; }
        }
        private DateTime _Birthday;

        public DateTime Birthday
        {
            get { return _Birthday; }
            set { _Birthday = value; }
        }
        private string _Nation;

        public string Nation
        {
            get { return _Nation; }
            set { _Nation = value; }
        }

三、数据访问类

using System.Data.SqlClient;

namespace _4_20封装数据库.App_Code
{
    public class UserData
    {       //数据库引用
        SqlConnection conn = new SqlConnection("server=.;database=student;user=sa;pwd=123;");
        SqlCommand cmd = conn.CreateCommand();
        public List<User> select()
        {
            //定义集合为方法
            List<User> ulist = new List<User>();
            cmd.CommandText = "select*from User";
            conn.Open();
            SqlDataReader dr=cmd.ExecuteReader();
            //读取数据
            if (dr.HasRows)
            {
                while (dr.Read())
                {
                    //添加数据到集合
                    User u = new User();
                    u.Ids = Convert.ToInt32(dr["Ids"]);
                    u.UserName = dr["UserName"].ToString();
                    u.PassWord = dr["PassWord"].ToString();
                    u.NickName=dr["NickName"].ToString();
                    u.Sex=Convert.ToBoolean(dr["Sex"]) ;
                    u.Birthday = Convert.ToDateTime(dr["Birthday"]);
                    u.Nation=dr["Nation"].ToString();

                    ulist.Add(u);
                }
            }
            conn.Close();
            return ulist;
        }
    }
}

引用：

using _4_20封装数据库.App_Code;

namespace _4_20封装数据库
{
    class Program
    {
        static void Main(string[] args)
        {
            //实例化数据库类
            UserData ul=new UserData();
            //调用数据库类方法
            List<User> us=ul.select();
            //打印
            foreach (User a in us)
            {
                Console.WriteLine(a.Ids+"|"+a.UserName+"|"+a.PassWord+"|"+a.NickName+"|"+a.Sex+"|"+a.Birthday+"|"+a.Nation);
            }
        }
    }
}