public static bool DelMessage(int UniqueID)
{
SqlConnection conn = DBAccess.conn;
string sqlcmd = "DELETE FROM Messages WHERE UniqueID='"+UniqueID+"'";
SqlCommand comm = new SqlCommand(sqlcmd, conn);
try
{
if(conn.State == ConnectionState.Closed) conn.Open();
int res = comm.ExecuteNonQuery();
if(1==res) return true;
else return false;
}
catch(Exception ex)
{
MailSender.SendException(ex);
return false;
}
finally
{
if(conn.State == ConnectionState.Open) conn.Close();
}
}
//像这样的代码是否有什么不足之处?
{
SqlConnection conn = DBAccess.conn;
string sqlcmd = "DELETE FROM Messages WHERE UniqueID='"+UniqueID+"'";
SqlCommand comm = new SqlCommand(sqlcmd, conn);
try
{
if(conn.State == ConnectionState.Closed) conn.Open();
int res = comm.ExecuteNonQuery();
if(1==res) return true;
else return false;
}
catch(Exception ex)
{
MailSender.SendException(ex);
return false;
}
finally
{
if(conn.State == ConnectionState.Open) conn.Close();
}
}
//像这样的代码是否有什么不足之处?
public static bool DelMessage(int uniqueID) //局部参数请小写
{
bool flag = false;
SqlConnection conn = DBAccess.conn;
//用参数而不是拼接字符串
string sqlcmd = "DELETE FROM Messages WHERE UniqueID = @UniqueID";
SqlCommand comm = new SqlCommand(sqlcmd, conn);
comm.Parameters.Add("@UniqueID", SqlDbType.VarChar).Value = uniqueID;
try
{
if (conn.State == ConnectionState.Closed)
conn.Open();
int res = comm.ExecuteNonQuery();
if (1 == res)
flag = true;
}
catch (Exception ex)
{
MailSender.SendException(ex);
}
finally
{
if (conn.State == ConnectionState.Open)
conn.Close();
}
return flag;
}
为什么需要采用局部参数小写的习惯?
似乎java中的参数会用小写的风格,而.NET中大多采用大写吧?
另外,用参数的办法为什么能提高安全性?如果用SQL注入,那这种用参数的办法就能杜绝?
另外,catch里面不return false的话,会不会不周到?如果最后return的话,那万一遇到Exception的话,不是什么都没有了?或者是如果遇到Exception的话根本就不会return?也就是没有必要return了?