将参数传递给存储过程以进行更新

时间:2015-11-10 15:47:11

标签: c# sql asp.net sql-server

我一直在尝试转换为使用SQL Server中的存储过程来执行我们的CRUD。在我的代码隐藏中,这是我将参数传递给SqlHelper类的方法(如果你需要我发布这个,请告诉我)。但这是阻止SQL注入吗?有没有更好的方法来传递这些?我还在下面粘贴了我的存储过程以进行更新。任何改善这一点的建议都将受到赞赏!

protected void UpdateRecord()
{
    var connectionString = ConfigurationManager.ConnectionStrings["myConnectionString"].ToString();

    SqlParameter[] sqlParam = new SqlParameter[19];

    sqlParam[0] = new SqlParameter("@empfk", empno.Text);
    sqlParam[1] = new SqlParameter("@prescriptpk", TxtPK.Text);
    sqlParam[2] = new SqlParameter("@date", TxtDate.Text);
    sqlParam[3] = new SqlParameter("@arcfk", DDLFullName.SelectedValue);
    sqlParam[4] = new SqlParameter("@OT", chkOT.Checked);
    sqlParam[5] = new SqlParameter("@PT", chkPT.Checked);
    sqlParam[6] = new SqlParameter("@PS", chkPS.Checked);
    sqlParam[7] = new SqlParameter("@SA", chkSA.Checked);
    sqlParam[8] = new SqlParameter("@EC", chkEC.Checked);
    sqlParam[9] = new SqlParameter("@NC", chkNC.Checked);
    sqlParam[10] = new SqlParameter("@reason", DDLReason.SelectedValue);
    sqlParam[11] = new SqlParameter("@sentto", TxtSentTo.Text);
    sqlParam[12] = new SqlParameter("@sentvia", DDLSentVia.SelectedValue);
    sqlParam[13] = new SqlParameter("@datereceived", TxtDateRec.Text);
    sqlParam[14] = new SqlParameter("@datesigned", txtDateSigned.Text);
    sqlParam[15] = new SqlParameter("@comments", txtComments.Text);
    sqlParam[16] = new SqlParameter("@effbeg", TxtEffBeg.Text);
    sqlParam[17] = new SqlParameter("@effend", TxtEffEnd.Text);
    sqlParam[18] = new SqlParameter("@documentation", txtDocumentation.Text);

    sqlhelper.SqlHelper.ExecuteNonQuery(connectionString, CommandType.StoredProcedure, "prescriptions_Update", sqlParam);
    GridView1.DataBind();
}

这是存储过程:

SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO

ALTER PROCEDURE [dbo].[prescriptions_Update]
    (@prescriptpk int, @date date, @arcfk int, @OT bit, 
     @PT bit, @PS bit, @SA bit, @EC bit, @NC bit, 
     @reason varchar(30), @sentto varchar(40), 
     @sentvia char(10), @datereceived date, @datesigned date, 
     @comments varchar(max), @effbeg date, @effend date,
     @documentation varchar(max) )
AS
BEGIN
    SET NOCOUNT ON; 

    UPDATE [Support].[dbo].[prescriptions] 
    SET [date] = @date, arcfk = @arcfk, OT = @OT, PT = @PT, PS = @PS, 
        SA = @SA, EC = @EC, NC = @NC, reason = @reason, sentto = @sentto, 
        sentvia = @sentvia, datereceived = @datereceived, 
        datesigned = @datesigned, comments = @comments, effbeg = @effbeg, 
        effend = @effend, documentation = @documentation 
    WHERE 
        prescriptpk = @prescriptpk
END
GO

2 个答案:

答案 0 :(得分:0)

Microsoft有一篇文章,您可以阅读here。它讨论了阻止SQL注入所需要做的事情。

但该文章的摘要是您需要使用fxnSqlCommand

答案 1 :(得分:0)

试试这个

private static SqlConnection _Connection = new SqlConnection();
private static SqlCommand _Command = new SqlCommand();
private static SqlConnection _Conn = new SqlConnection();

private static SqlConnection GetConnection()
    {
        try
        {
            if (_Connection.State == ConnectionState.Closed)
            {
            _Connection.ConnectionString = "ConnectionString";
            _Connection.Open();
            }
            return _Connection;
        }
        catch (Exception ex)
        {
            throw ex;
        }
    }

public static void UpdateData(params object[] ParamValue)
    {
        try
        {
            _Conn = GetConnection();
            _Command.Connection = _Conn;
            _Command.CommandTimeout = 0;
            _Command.CommandType = CommandType.StoredProcedure;
            _Command.CommandText = "updateprocedure";

            _Command.Parameters.Clear();
            _Command.Parameters.Add("@Paramname1", SqlDbType.Int).Value = ParamValue[0];
            _Command.Parameters.Add("@Paramname2", SqlDbType.Int).Value = ParamValue[1];
            _Command.Parameters.Add("@Paramname3", SqlDbType.Int).Value = ParamValue[2];


            _Command.ExecuteNonQuery();
        }
        catch (Exception ex)
        {
            throw ex;
        }
        finally
        {
            CloseConnection();
        }
    }