我一直在尝试转换为使用SQL Server中的存储过程来执行我们的CRUD。在我的代码隐藏中,这是我将参数传递给SqlHelper
类的方法(如果你需要我发布这个,请告诉我)。但这是阻止SQL注入吗?有没有更好的方法来传递这些?我还在下面粘贴了我的存储过程以进行更新。任何改善这一点的建议都将受到赞赏!
protected void UpdateRecord()
{
var connectionString = ConfigurationManager.ConnectionStrings["myConnectionString"].ToString();
SqlParameter[] sqlParam = new SqlParameter[19];
sqlParam[0] = new SqlParameter("@empfk", empno.Text);
sqlParam[1] = new SqlParameter("@prescriptpk", TxtPK.Text);
sqlParam[2] = new SqlParameter("@date", TxtDate.Text);
sqlParam[3] = new SqlParameter("@arcfk", DDLFullName.SelectedValue);
sqlParam[4] = new SqlParameter("@OT", chkOT.Checked);
sqlParam[5] = new SqlParameter("@PT", chkPT.Checked);
sqlParam[6] = new SqlParameter("@PS", chkPS.Checked);
sqlParam[7] = new SqlParameter("@SA", chkSA.Checked);
sqlParam[8] = new SqlParameter("@EC", chkEC.Checked);
sqlParam[9] = new SqlParameter("@NC", chkNC.Checked);
sqlParam[10] = new SqlParameter("@reason", DDLReason.SelectedValue);
sqlParam[11] = new SqlParameter("@sentto", TxtSentTo.Text);
sqlParam[12] = new SqlParameter("@sentvia", DDLSentVia.SelectedValue);
sqlParam[13] = new SqlParameter("@datereceived", TxtDateRec.Text);
sqlParam[14] = new SqlParameter("@datesigned", txtDateSigned.Text);
sqlParam[15] = new SqlParameter("@comments", txtComments.Text);
sqlParam[16] = new SqlParameter("@effbeg", TxtEffBeg.Text);
sqlParam[17] = new SqlParameter("@effend", TxtEffEnd.Text);
sqlParam[18] = new SqlParameter("@documentation", txtDocumentation.Text);
sqlhelper.SqlHelper.ExecuteNonQuery(connectionString, CommandType.StoredProcedure, "prescriptions_Update", sqlParam);
GridView1.DataBind();
}
这是存储过程:
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
ALTER PROCEDURE [dbo].[prescriptions_Update]
(@prescriptpk int, @date date, @arcfk int, @OT bit,
@PT bit, @PS bit, @SA bit, @EC bit, @NC bit,
@reason varchar(30), @sentto varchar(40),
@sentvia char(10), @datereceived date, @datesigned date,
@comments varchar(max), @effbeg date, @effend date,
@documentation varchar(max) )
AS
BEGIN
SET NOCOUNT ON;
UPDATE [Support].[dbo].[prescriptions]
SET [date] = @date, arcfk = @arcfk, OT = @OT, PT = @PT, PS = @PS,
SA = @SA, EC = @EC, NC = @NC, reason = @reason, sentto = @sentto,
sentvia = @sentvia, datereceived = @datereceived,
datesigned = @datesigned, comments = @comments, effbeg = @effbeg,
effend = @effend, documentation = @documentation
WHERE
prescriptpk = @prescriptpk
END
GO
答案 0 :(得分:0)
Microsoft有一篇文章,您可以阅读here。它讨论了阻止SQL注入所需要做的事情。
但该文章的摘要是您需要使用fxn
和SqlCommand
。
答案 1 :(得分:0)
试试这个
private static SqlConnection _Connection = new SqlConnection();
private static SqlCommand _Command = new SqlCommand();
private static SqlConnection _Conn = new SqlConnection();
private static SqlConnection GetConnection()
{
try
{
if (_Connection.State == ConnectionState.Closed)
{
_Connection.ConnectionString = "ConnectionString";
_Connection.Open();
}
return _Connection;
}
catch (Exception ex)
{
throw ex;
}
}
public static void UpdateData(params object[] ParamValue)
{
try
{
_Conn = GetConnection();
_Command.Connection = _Conn;
_Command.CommandTimeout = 0;
_Command.CommandType = CommandType.StoredProcedure;
_Command.CommandText = "updateprocedure";
_Command.Parameters.Clear();
_Command.Parameters.Add("@Paramname1", SqlDbType.Int).Value = ParamValue[0];
_Command.Parameters.Add("@Paramname2", SqlDbType.Int).Value = ParamValue[1];
_Command.Parameters.Add("@Paramname3", SqlDbType.Int).Value = ParamValue[2];
_Command.ExecuteNonQuery();
}
catch (Exception ex)
{
throw ex;
}
finally
{
CloseConnection();
}
}