数据库参数化传递可以增强数据的安全性,但却会降低开发效率,为此创建了如下函数以解决这个问题:
public static string PrepareParameter(string sql, out SqlParameter[] cmdParms, params object[] args)
{
cmdParms = null;
if (args != null && args.Length != )
{
string[] argNames = new string[args.Length];
cmdParms = new SqlParameter[args.Length];
string prefix = "arg";
for (int i = , c = args.Length; i < c; i++)
{
string ParameterName = prefix + i;
cmdParms[i] = new SqlParameter();
cmdParms[i].ParameterName = ParameterName;
cmdParms[i].Value = args[i];
argNames[i] = "@" + ParameterName;
}
sql = string.Format(sql, argNames);
}
return sql;
}
使用方法如下:
