//防Sql注入类 SqlChecker
SqlChecker sqlChecker = new SqlChecker();
//连接数据库字符串
string UserId = TextBox1.Text;
// string Password = TextBox2.Text;
string Password = SqlChecker.EncryptPassword(TextBox2.Text);
string ConStr = System.Configuration.ConfigurationManager.AppSettings["ConnectString"];
SqlConnection con = new SqlConnection(ConStr);
con.Open();
//执行Sql,连接数据库
string strsql = "select distinct UserId,Password,EmpId from LoginTb where UserId='"+UserId+"' and Password='"+Password+"' and State='1' ";
SqlCommand cmd = new SqlCommand(strsql, con)
SqlDataReader rs = cmd.ExecuteReader();
if (rs.Read())
{ if (UserId != "")
{
Session.Timeout = 120;
Session["UserId"] = TextBox1.Text;
Session["EmpId"] = rs["EmpId"].ToString(); Response.Redirect("main1.aspx");
}
这么写登不上去C#sql注入
SqlChecker sqlChecker = new SqlChecker();
//连接数据库字符串
string UserId = TextBox1.Text;
// string Password = TextBox2.Text;
string Password = SqlChecker.EncryptPassword(TextBox2.Text);
string ConStr = System.Configuration.ConfigurationManager.AppSettings["ConnectString"];
SqlConnection con = new SqlConnection(ConStr);
con.Open();
//执行Sql,连接数据库
string strsql = "select distinct UserId,Password,EmpId from LoginTb where UserId='"+UserId+"' and Password='"+Password+"' and State='1' ";
SqlCommand cmd = new SqlCommand(strsql, con)
SqlDataReader rs = cmd.ExecuteReader();
if (rs.Read())
{ if (UserId != "")
{
Session.Timeout = 120;
Session["UserId"] = TextBox1.Text;
Session["EmpId"] = rs["EmpId"].ToString(); Response.Redirect("main1.aspx");
}
这么写登不上去C#sql注入
cmd.Parameters.Add(....);
自己搜一下吧
namespace 数据导入导出
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
} private void button1_Click(object sender, EventArgs e)
{
if (odfImport.ShowDialog() != DialogResult.OK)
{
return;
}
using (FileStream fileStream = File.OpenRead(odfImport.FileName))
{
using (StreamReader streamReader = new StreamReader(fileStream))
{
using (SqlConnection conn = new SqlConnection(@"Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Database1.mdf;Integrated Security=True;User Instance=True"))
//创建连接是非常耗时的,因此不要每次操作创建连接
{
conn.Open();
using (SqlCommand cmd = conn.CreateCommand())
{
cmd.CommandText = "Insert into T_Persons(Name,Age) values(@Name,@Age)";
string line = null;
while ((line = streamReader.ReadLine()) != null)
{
string[] strs = line.Split('#');
string name = strs[0];
int age = Convert.ToInt32(strs[1]);
cmd.Parameters.Clear();//!!!!!把上次执行的所有的参数都把它清除掉
//参数不能重复添加,在while中一直用的就是一个SqlCommand对象
cmd.Parameters.Add(new SqlParameter("Name", name));
cmd.Parameters.Add(new SqlParameter("Age", age));
cmd.ExecuteNonQuery();
}
}
}
}
}
MessageBox.Show("导入成功");