网上有许多防SQL注入式攻击的方法。我使用将值用参数传入形式。相关代码如下:
/// <summary>
/// 执行参数
/// </summary>
/// <param name="asSql">SQL语句</param>
/// <param name="asPlList">参数列表</param>
public static void ExecuteDMLParameterSQL(string asSql, sttSqlParameterList[] asPlList)
{
sConnectionString = ConfigurationManager.AppSettings.Get("UserConnection");
OracleConnection ocConnection = new OracleConnection(sConnectionString);
ocConnection.Open();
OracleCommand ocCommand = ocConnection.CreateCommand();
ocCommand.CommandType = CommandType.Text;
ocCommand.CommandText = asSql;
for (int i = 0; i < asPlList.Length; i++)
{
OracleParameter opName = new OracleParameter();
opName.ParameterName = asPlList[i].Name;
switch (asPlList[i].Type)
{
case "string":
opName.OracleType = OracleType.VarChar;
break;
default:
opName.OracleType = OracleType.VarChar;
break;
}
opName.Value = asPlList[i].Value;
ocCommand.Parameters.Add(opName);
}
int iResult = (int)ocCommand.ExecuteNonQuery();
ocCommand.Dispose();
ocConnection.Close();
ocConnection.Dispose();
}
/// <summary>
/// 参数结构,用于执行参数语句
/// </summary>
public struct sttSqlParameterList
{
private string sName;
private string sType;
private string sValue;
/// <summary>
/// 构造函数(初始化值)
/// </summary>
/// <param name="asName">参数名</param>
/// <param name="asType">参数类型(暂时只针对string型的值)</param>
/// <param name="asValue">参数值</param>
public sttSqlParameterList(string asName, string asType, string asValue)
{
sName = asName;
sType = asType;
sValue = asValue;
}
/// <summary>
/// 参数名(与SQL语句中的参数名相同,但不带:号)
/// </summary>
public string Name
{
get
{
return sName;
}
set
{
sName = value;
}
}
/// <summary>
/// 参数类型(本参数暂时只接受string型)
/// </summary>
public string Type
{
get
{
return sType;
}
set
{
sType = value;
}
}
/// <summary>
/// 参数值,与参数类型对应
/// </summary>
public string Value
{
get
{
return sValue;
}
set
{
sValue = value;
}
}
}
调用方法为:
string sSql = "update HP_REQUIREMENT "
+ " set RqtGuage=16,RqtUpdateDate=to_date('{1}','yyyy.MM.dd'),"
+ " RqtCheckerID={2},"
+ " RqtCheckerEmpID='{3}',"
+ "RqtDevelopExplain=:CheckerExplain," //CheckerExplain为参数名,与参数列表中的Name相对应
+ " RqtAnalystHour={4},"
+ " RqtDevelopWorkload={5},"
+ " RqtTestHour={6},"
+ " RqtTotoalHour={7}"
+ " where RqtID='{0}'";
sSql = string.Format(sSql, sMainID, sUpdateDate, sCheckerID, sCheckerEmpID, sAnalystHour, sWorkLoad, sTestHour, sTotalHour);
//给参数赋值(这里只有一个参数)
sttSqlParameterList[] sptList = new sttSqlParameterList[1];
sptList[0].Name = "CheckerExplain";
sptList[0].Type = "string";
sptList[0].Value = sCheckerExplain;
clsHpDbManage.ExecuteDMLParameterSQL(sSql, sptList);
+ " set RqtGuage=16,RqtUpdateDate=to_date('{1}','yyyy.MM.dd'),"
+ " RqtCheckerID={2},"
+ " RqtCheckerEmpID='{3}',"
+ "RqtDevelopExplain=:CheckerExplain," //CheckerExplain为参数名,与参数列表中的Name相对应
+ " RqtAnalystHour={4},"
+ " RqtDevelopWorkload={5},"
+ " RqtTestHour={6},"
+ " RqtTotoalHour={7}"
+ " where RqtID='{0}'";
sSql = string.Format(sSql, sMainID, sUpdateDate, sCheckerID, sCheckerEmpID, sAnalystHour, sWorkLoad, sTestHour, sTotalHour);
//给参数赋值(这里只有一个参数)
sttSqlParameterList[] sptList = new sttSqlParameterList[1];
sptList[0].Name = "CheckerExplain";
sptList[0].Type = "string";
sptList[0].Value = sCheckerExplain;
clsHpDbManage.ExecuteDMLParameterSQL(sSql, sptList);