Question

我最近遇到了关于如何防止SQL注入的声明，因此我将我的代码更改为此（注释掉旧代码）：

nameE = txtName.Text;

//sqlCode = "SELECT * FROM [db].[dbo].[TablePDFTest] WHERE [name] = '" + nameE + "'";
sqlCode = "SELECT * FROM [db].[dbo].[TablePDFTest] WHERE [name] = @name";

using (SqlCommand command = new SqlCommand(sqlCode, Conn))
{
      //command.CommandType = CommandType.Text;
      command.Parameters.AddWithValue("name", nameE);

      using (reader = command.ExecuteReader())
      {
        // some action goes here...
      }
 }

如何使用多个参数执行相同操作？

我的代码是这样的，我用它作为一个函数将两个参数填充为另一个函数的变量：

public void writeData(string k, string c)
{
    Conn = new SqlConnection(cString);
    Conn.Open();

    //MessageBox.Show(k);
    //MessageBox.Show(c);

    var pdfPath = Path.Combine(Server.MapPath("~/PDFTemplates/fw9.pdf"));

    // Get the form fields for this PDF and fill them in!
    var formFieldMap = PDFHelper.GetFormFieldNames(pdfPath);

    //if more than multiple entries, verify by name and the last four ssn
    //sqlCode = "SELECT * FROM [db].[dbo].[TablePDFTest] WHERE [name] = '" + k + "' AND [ssn3] = " + c + "";
    sqlCode = "SELECT * FROM [db].[dbo].[TablePDFTest] WHERE [name] = @name2 AND [ssn3] = @ssnnum";
    //MessageBox.Show("" + sqlCode.ToString());

    using (SqlCommand command = new SqlCommand(sqlCode, Conn))
    {
        //command.CommandType = CommandType.Text;
        command.Parameters.AddWithValue("name2", k);
        command.Parameters.AddWithValue("ssnnum", c);

        using (reader = command.ExecuteReader())
        {
            if (reader.HasRows)
            {
                if (reader.Read())
                {
                    MessageBox.Show(reader.GetValue(0).ToString());
                    /*formFieldMap["topmostSubform[0].Page1[0].f1_01_0_[0]"] = reader.GetValue(0).ToString();
                    formFieldMap["topmostSubform[0].Page1[0].f1_02_0_[0]"] = reader.GetValue(1).ToString();
                    formFieldMap["topmostSubform[0].Page1[0].f1_04_0_[0]"] = reader.GetValue(2).ToString();
                    formFieldMap["topmostSubform[0].Page1[0].f1_05_0_[0]"] = reader.GetValue(3).ToString();
                    formFieldMap["topmostSubform[0].Page1[0].f1_07_0_[0]"] = reader.GetValue(4).ToString();
                    formFieldMap["topmostSubform[0].Page1[0].social[0].TextField1[0]"] = reader.GetValue(5).ToString();
                    formFieldMap["topmostSubform[0].Page1[0].social[0].TextField2[0]"] = reader.GetValue(6).ToString();
                    formFieldMap["topmostSubform[0].Page1[0].social[0].TextField2[1]"] = reader.GetValue(7).ToString();
                    formFieldMap["topmostSubform[0].Page1[0].social[0].TextField2[2]"] = reader.GetValue(8).ToString();
                    formFieldMap["topmostSubform[0].Page1[0].social[0].TextField2[3]"] = reader.GetValue(9).ToString();*/
                }
            }
        }
    }

    // Requester's name and address (hard-coded)
    //formFieldMap["topmostSubform[0].Page1[0].f1_06_0_[0]"] = "Medical Group\n27 West Ave\nPurchase, NY 10577";

    //var pdfContents = PDFHelper.GeneratePDF(pdfPath, formFieldMap);

    //PDFHelper.ReturnPDF(pdfContents, "Completed-W9.pdf");
}

enter image description here

Answer 1

您可以像以前一样添加参数。这就是你的代码的样子：

sqlCode = "SELECT * FROM [db].[dbo].[TablePDFTest] WHERE [name] = @name AND [ssn3] =@ssn3";

using (SqlCommand command = new SqlCommand(sqlCode, Conn))
{
      //command.CommandType = CommandType.Text;
      command.Parameters.AddWithValue("@name", nameE);
      command.Parameters.AddWithValue("@ssn3", c);

      using (reader = command.ExecuteReader())
      {
        // some action goes here...
      }
 }

如何在SQL查询中使用多个参数

1 个答案: