页面加载您必须填写一些文本框,然后单击添加:
tbSpyReports spyReport = new tbSpyReports();
spyReport.sgCityLevel = Convert.ToInt32(tbCityLevel.Text);
spyReport.sgCityName = tbCityName_insert.Text;
....
spyReport.insert();
Response.Redirect(Request.RawUrl);
SqlConnection con = ikaConn.getConn();
SqlCommand command = new SqlCommand("INSERT INTO spyReports(cityName, playerName, cityId, islandId, cordX, cordY, " + "cityLevel, cityWall, cityWarehouse, Wood, Wine, Marble, Crystal, Sulfur, hasArmies) VALUES(" + "@cityName, @playerName, @cityId, @islandId, @cordX, @cordY, " + "@cityLevel, @cityWall, @cityWarehouse, @Wood, @Wine, @Marble, @Crystal, @Sulfur, @hasArmies)", con);
command.Parameters.Add(new SqlParameter("cityName", this.cityName));
command.Parameters.Add(new SqlParameter("playerName", this.playerName));
....
command.ExecuteNonQuery();
command.Dispose();
答案 0 :(得分:0)
它不应该容易受到这种形式的传统SQL注入的影响:
statement = "SELECT * FROM users WHERE name ='" + userName + "';"
因为您正在使用参数化查询。