用SQLParameter来对变量参数化
private string connString = ConfigurationManager.ConnectionStrings["TestConnectString"].ToString(); public UserLogin UserLogin(UserLogin userlogin) { //参数化,特殊符号转义成普通字符串,防止sql注入 SqlParameter[] paras = new SqlParameter[] { new SqlParameter("@userloginId",userlogin.LoginId), new SqlParameter("@userloginPwd",userlogin.LoginPwd) }; string sql = "select LoginId,LoginPwd,LoginName from UserLogin where LoginPwd=@userloginPwd and LoginId=@userloginId"; SqlConnection conn = new SqlConnection(connString); conn.Open(); //创建执行脚本的对象 SqlCommand cmd = new SqlCommand(sql, conn); cmd.Parameters.AddRange(paras); //提交查询 SqlDataReader sdr = cmd.ExecuteReader(CommandBehavior.CloseConnection); //判断是否正确,正确封装Name,否则置空 if (sdr.Read()) { userlogin.LoginName = sdr["LoginName"].ToString(); } else { userlogin = null;//登录失败 } sdr.Close(); return userlogin; }
SqlParameter还可以作为参数传入其他方法里,如SqlHelper
/// <summary> /// 执行一个结果集的查询 /// </summary> /// <param name="sql">sql语句</param> /// <param name="paras">SqlParameter参数</param> /// <returns>返回一个数据流</returns> public static SqlDataReader ExeReader(string sql, params SqlParameter[] paras)//params 设置为可选参数(即可传可不传值) { SqlConnection conn = new SqlConnection(connString); SqlCommand cmd = new SqlCommand(sql, conn); if (paras.Length != 0) { cmd.Parameters.AddRange(paras); } try { conn.Open(); return cmd.ExecuteReader(CommandBehavior.CloseConnection);//定义了 } catch (Exception ex) { throw new Exception("static SqlDataReader ExeReader(string sql)方法出错" + ex.Message); } } public UserLogin Login(UserLogin userlogin) { SqlParameter[] para = new SqlParameter[] { new SqlParameter("@userloginId",userlogin.LoginId), new SqlParameter("@userloginPwd",userlogin.LoginPwd) }; //封装sql语句 string sql = "select LoginId,LoginPwd,LoginName from UserLogin where LoginPwd=@userloginPwd And LoginId=@userloginId"; //提交查询 SqlDataReader sdr = SQLHelper.ExeReader(sql,para); //判断是否正确,正确封装Name,否则置空 if (sdr.Read()) { userlogin.LoginName = sdr["LoginName"].ToString(); } else { userlogin = null;//登录失败 } sdr.Close(); return userlogin; }