I recently came across a statement on how to prevent SQL injection, so I changed my code to this (commented out are the old codes):
我最近发现了一个关于如何防止SQL注入的声明,因此我将我的代码更改为此(注释掉旧代码):
nameE = txtName.Text;
//sqlCode = "SELECT * FROM [db].[dbo].[TablePDFTest] WHERE [name] = '" + nameE + "'";
sqlCode = "SELECT * FROM [db].[dbo].[TablePDFTest] WHERE [name] = @name";
using (SqlCommand command = new SqlCommand(sqlCode, Conn))
{
//command.CommandType = CommandType.Text;
command.Parameters.AddWithValue("name", nameE);
using (reader = command.ExecuteReader())
{
// some action goes here...
}
}
How can I do the same with multiple parameters?
如何使用多个参数执行相同的操作?
My code is this where I am using as a function padding the two parameters as a variable from another function:
我的代码就是这个,我用它作为一个函数,将两个参数填充为另一个函数的变量:
public void writeData(string k, string c)
{
Conn = new SqlConnection(cString);
Conn.Open();
//MessageBox.Show(k);
//MessageBox.Show(c);
var pdfPath = Path.Combine(Server.MapPath("~/PDFTemplates/fw9.pdf"));
// Get the form fields for this PDF and fill them in!
var formFieldMap = PDFHelper.GetFormFieldNames(pdfPath);
//if more than multiple entries, verify by name and the last four ssn
//sqlCode = "SELECT * FROM [db].[dbo].[TablePDFTest] WHERE [name] = '" + k + "' AND [ssn3] = " + c + "";
sqlCode = "SELECT * FROM [db].[dbo].[TablePDFTest] WHERE [name] = @name2 AND [ssn3] = @ssnnum";
//MessageBox.Show("" + sqlCode.ToString());
using (SqlCommand command = new SqlCommand(sqlCode, Conn))
{
//command.CommandType = CommandType.Text;
command.Parameters.AddWithValue("name2", k);
command.Parameters.AddWithValue("ssnnum", c);
using (reader = command.ExecuteReader())
{
if (reader.HasRows)
{
if (reader.Read())
{
MessageBox.Show(reader.GetValue(0).ToString());
/*formFieldMap["topmostSubform[0].Page1[0].f1_01_0_[0]"] = reader.GetValue(0).ToString();
formFieldMap["topmostSubform[0].Page1[0].f1_02_0_[0]"] = reader.GetValue(1).ToString();
formFieldMap["topmostSubform[0].Page1[0].f1_04_0_[0]"] = reader.GetValue(2).ToString();
formFieldMap["topmostSubform[0].Page1[0].f1_05_0_[0]"] = reader.GetValue(3).ToString();
formFieldMap["topmostSubform[0].Page1[0].f1_07_0_[0]"] = reader.GetValue(4).ToString();
formFieldMap["topmostSubform[0].Page1[0].social[0].TextField1[0]"] = reader.GetValue(5).ToString();
formFieldMap["topmostSubform[0].Page1[0].social[0].TextField2[0]"] = reader.GetValue(6).ToString();
formFieldMap["topmostSubform[0].Page1[0].social[0].TextField2[1]"] = reader.GetValue(7).ToString();
formFieldMap["topmostSubform[0].Page1[0].social[0].TextField2[2]"] = reader.GetValue(8).ToString();
formFieldMap["topmostSubform[0].Page1[0].social[0].TextField2[3]"] = reader.GetValue(9).ToString();*/
}
}
}
}
// Requester's name and address (hard-coded)
//formFieldMap["topmostSubform[0].Page1[0].f1_06_0_[0]"] = "Medical Group\n27 West Ave\nPurchase, NY 10577";
//var pdfContents = PDFHelper.GeneratePDF(pdfPath, formFieldMap);
//PDFHelper.ReturnPDF(pdfContents, "Completed-W9.pdf");
}
1 个解决方案
#1
5
You can add parammeter as you did before. This is how your code will loke like:
您可以像以前一样添加参数。这就是你的代码喜欢的方式:
sqlCode = "SELECT * FROM [db].[dbo].[TablePDFTest] WHERE [name] = @name AND [ssn3] =@ssn3";
using (SqlCommand command = new SqlCommand(sqlCode, Conn))
{
//command.CommandType = CommandType.Text;
command.Parameters.AddWithValue("@name", nameE);
command.Parameters.AddWithValue("@ssn3", c);
using (reader = command.ExecuteReader())
{
// some action goes here...
}
}
#1
5
You can add parammeter as you did before. This is how your code will loke like:
您可以像以前一样添加参数。这就是你的代码喜欢的方式:
sqlCode = "SELECT * FROM [db].[dbo].[TablePDFTest] WHERE [name] = @name AND [ssn3] =@ssn3";
using (SqlCommand command = new SqlCommand(sqlCode, Conn))
{
//command.CommandType = CommandType.Text;
command.Parameters.AddWithValue("@name", nameE);
command.Parameters.AddWithValue("@ssn3", c);
using (reader = command.ExecuteReader())
{
// some action goes here...
}
}