在这个类中,我试图实现一个以参数化方式执行SQL插入的方法,以防止SQl注入,结果可以显示查询可以执行但是当我单击时数据库没有更新在我的项目中附加数据库。
那么如何使用Ole DB执行insert命令?实施此方法时是否有任何方法和预防措施?
以下是我的代码
private string connectionDBString = ConfigurationManager.ConnectionStrings["TestConnectionString"].ConnectionString.ToString();
...
public void add_data(string chi_name, string eng_name, string nick_name,
int bd_year, int bd_month, int bd_day, string home_tel, int no_of_child......
...
string sql = @"INSERT INTO STUDENT(CHI_NAME,ENG_NAME,NICK_NAME,BD_YYYY,BD_MM,BD_DD,HOME_TEL,NO_OF_CHILD ..)VALUES(@NEW_CHI_NAME,@NEW_ENG_NAME,@NEW_NICK_NAME,@NEW_BD_YYYY......
...
OleDbCommand cmd = new OleDbCommand(sql, connection);
cmd.CommandType = CommandType.Text;
cmd.Parameters.Add(new OleDbParameter("@NEW_CHI_NAME", chi_name));
cmd.Parameters.Add(new OleDbParameter("@NEW_ENG_NAME", eng_name));
cmd.Parameters.Add(new OleDbParameter("@NEW_NICK_NAME", nick_name));
cmd.Parameters.Add(new OleDbParameter("@NEW_BD_YYYY", bd_year));
cmd.Parameters.Add(new OleDbParameter("@NEW_BD_MM", bd_month));
...
connection.Open();
int rows = cmd.ExecuteNonQuery();
if (rows > 0)
{
MessageBox.Show("Insert New Client Success!" + " " + rows);
}
connection.Close();
connection.Dispose();
.......在app.config中,正确包含ConnectionString
<add name="TestConnectionString"
connectionString="Provider=Microsoft.ACE.OLEDB.12.0;Data Source=|DataDirectory|\test.accdb;Persist Security Info=True"
providerName="System.Data.OleDb" />