public void Add(tour.Model.cate model)
{
StringBuilder strSql = new StringBuilder();
strSql.Append("insert into tbl_cate(");
strSql.Append("ciID,catename,refectoryname,refeaddress,refephone,catereason,hotrefectory,cateinfo,cateFID");
strSql.Append(")");
strSql.Append(" values (");
strSql.Append("" + model.ciID + ",");
strSql.Append("'" + model.catename + "',");
strSql.Append("'" + model.refectoryname + "',");
strSql.Append("'" + model.refeaddress + "',");
strSql.Append("'" + model.refephone + "',");
strSql.Append("'" + model.catereason + "',");
strSql.Append("'" + model.hotrefectory + "',");
strSql.Append("'" + model.cateinfo + "',");
strSql.Append("" + model.cateFID + "");
strSql.Append(")");
DbHelperSQL.ExecuteSql(strSql.ToString());
}
C# code
using System;
using System.Collections.Generic;
using System.Text;namespace tour.Model
{
/// <summary>
/// 实体类cate 。(属性说明自动提取数据库字段的描述信息)
/// </summary>
public class cate
{
public cate()
{ }
#region Model
private int _cateid;
private int _ciid;
private string _catename;
private string _refectoryname;
private string _refeaddress;
private string _refephone;
private string _catereason;
private string _hotrefectory;
private string _cateinfo;
private int _catefid;
private string _catefile;
private DateTime _adddate; /// <summary>
///
/// </summary>
public int cateID
{
set{ _cateid=value;}
get{return _cateid;}
}
/// <summary>
///
/// </summary>
public int ciID
{
set{ _ciid=value;}
get{return _ciid;}
}
/// <summary>
///
/// </summary>
public string catename
{
set{ _catename=value;}
get{return _catename;}
}
/// <summary>
///
/// </summary>
public string refectoryname
{
set{ _refectoryname=value;}
get{return _refectoryname;}
}
/// <summary>
///
/// </summary>
public string refeaddress
{
set{ _refeaddress=value;}
get{return _refeaddress;}
}
/// <summary>
///
/// </summary>
public string refephone
{
set{ _refephone=value;}
get{return _refephone;}
}
/// <summary>
///
/// </summary>
public string catereason
{
set{ _catereason=value;}
get{return _catereason;}
}
/// <summary>
///
/// </summary>
public string hotrefectory
{
set{ _hotrefectory=value;}
get{return _hotrefectory;}
}
/// <summary>
///
/// </summary>
public string cateinfo
{
set{ _cateinfo=value;}
get{return _cateinfo;}
}
/// <summary>
///
/// </summary>
public int cateFID
{
set{ _catefid=value;}
get{return _catefid;}
}
/// <summary>
///
/// </summary>
public string catefile
{
set{ _catefile=value;}
get{return _catefile;}
}
/// <summary>
///
/// </summary>
public DateTime adddate
{
set{ _adddate=value;}
get{return _adddate;}
}
#endregion Model
}
}
OracleParameter[] parms = {
new OracleParameter(":ID", OracleType.VarChar, 40), }parms[0].Vlaue="";
一般使用存储过程可以防sql注入。
个人观点如有错误请大大们指出。
public void Add(tour.Model.cate model)
{
StringBuilder strSql = new StringBuilder();
strSql.Append("insert into tbl_cate(");
strSql.Append ("ciID,catename,refectoryname,refeaddress,refephone,catereason,hotrefectory,cateinfo,cateFID");
strSql.Append(")");
strSql.Append(" values (@ciID,@catename,@refectoryname,@refeaddress,@refephone,@catereason,@hotrefectory,@cateinfo,@cateFID)");
//DbHelperSQL.ExecuteSql(strSql.ToString());
}
用参数
你给出的代码是肯定防止不了SQL注入的.
这个代码,如果catename属性值中含有单引号怎么办?这是一个连SQL语法都不懂的程序员写的SQL表达式。另外,既然封装为public void Add(tour.Model.cate model)这样一个独立的方法,那么它就肯定将来要多处使用,那么写这个方法的人按说就不应该用“现在catename中不可能有单引号呀”这样的借口。对于下面的几个字符串,也是一样,为什么不将单引号转换为两个单引号(这是T-SQL语法明文规定的)?而如果你写的SQL表达式确实是符合SQL语法的,管它什么“注入”,那不是杞人忧天嘛!
这个代码,如果catename属性值中含有单引号怎么办?这是一个连SQL语法都不懂的程序员写的SQL表达式。
为什么这样说?不合语法吗?