C#sql语句参数化防止sql注入
public override bool AddConditions(string FormId, string FormName, string Conditions, string UserId, out string errorMsg)
{
errorMsg = "";
DbHelper _helper = new DbHelper("CQYRSJLJ", CPAppContext.CurDbType());
SqlConnection conn = _helper.GetConnection() as SqlConnection;
try
{
string ID = Guid.NewGuid().ToString("N");
string sql = "insert into QueryForm_Conditions(Id,FormId,FormName,Conditions,UserId)Values(@ID,@FormId,@FormName,@Conditions ,@UserId)";
conn.Open();
SqlCommand cmd = new SqlCommand(sql, conn);
SqlParameter NID = new SqlParameter("@ID", ID.ToString());
SqlParameter FID = new SqlParameter("@FormId", FormId.ToString());
SqlParameter FNAME = new SqlParameter("@FormName", FormName.ToString());
SqlParameter COD = new SqlParameter("@Conditions", Conditions.ToString());
SqlParameter UID = new SqlParameter("@UserId", UserId.ToString());
cmd.Parameters.Add(NID);
cmd.Parameters.Add(FID);
cmd.Parameters.Add(FNAME);
cmd.Parameters.Add(COD);
cmd.Parameters.Add(UID);
if (cmd.ExecuteNonQuery() > 0)
{
return true;
}
else
{
return false;
}
}
catch (Exception ex)
{
errorMsg = ex.Message;
return false;
}
finally
{
conn.Close();
}
}
