string sql = "SELECT * FROM [Table] WHERE [Id]=@id"; using (SqlConnection con = new SqlConnection(conStr)) { using (SqlCommand cmd = new SqlCommand("Proc_QueryBook", con)) { cmd.Parameters.Add("@Category",SqlDbType.Int).Value=category; con.Open(); using (SqlDataReader dr = cmd.ExecuteReader()) { while(dr.Read()){ //to do something.... } } } }
using (SqlConnection con = new SqlConnection(conStr))
{
using (SqlCommand cmd = new SqlCommand("Proc_QueryBook", con))
{
cmd.Parameters.Add("@Category",SqlDbType.Int).Value=category;
con.Open();
using (SqlDataReader dr = cmd.ExecuteReader())
{
while(dr.Read()){ //to do something.... }
}
}
}
这一句里面的@Category应该改成跟sql语句里面的@id
http://topic.csdn.net/u/20090729/14/26381958-0D6E-4B90-BC90-D275E9621F93.html
#region sql 语句安全过滤 /// <summary>
/// 检测SQL注入,字符串型
/// </summary>
/// <param name="s">参数</param>
public string StrCheck2(object s)
{
string str1 = "'| and |(|)|--|exec |insert |select |delete |update | count | chr | mid | master |truncate |char |declare |drop |xp_cmdshell |exec master.dbo.xp_cmdshell|net user";
string str2 = "'| and |(|)|--|exec |insert |select |delete |update | count | chr | mid | master |truncate |char |declare |drop |xp_cmdshell |exec master.dbo.xp_cmdshell|net user"; string[] str1_1 = str1.Split('|');
string[] str2_1 = str2.Split('|'); string result = "";
if (s != null)
{
result = s.ToString();
for (int i = 0; i < str1_1.Length; i++)
{
result = result.Replace(str1_1[i], str2_1[i]);
}
return result;
}
else
return "";
} #endregion