解决SQL注入问题

原来的代码

public string Remove(string id)
{
  using SqlConnection conn = new SqlConnection("server=.;database=dbo;uid=sa;pwd=123");
  conn.Open();
  SqlCommand cmd = new SqlCommand($"DELETE FROM Users WHERE Id = {id}",conn);
  cmd.ExecuteNonQuery();
  return "1";
}

修改后的代码

public string Remove(string id)
{
  using SqlConnection conn = new SqlConnection("server=.;database=dbo;uid=sa;pwd=123");
  conn.Open();
  
  
  SqlCommand cmd = new SqlCommand($"DELETE FROM Users WHERE Id = @Id",conn);
  
  SqlParameter sqlParameter = new SqlParameter("@Id",id);
  cmd.Parameters.Add(sqlParameter);
  
  cmd.ExecuteNonQuery();
  
  
  return "1";
}

传多个参数时

public string Remove(string userNo,string userName)
{
  using SqlConnection conn = new SqlConnection("server=.;database=dbo;uid=sa;pwd=123");
  conn.Open();
  
  
  SqlCommand cmd = new SqlCommand($"DELETE FROM Users WHERE UserNo = @UserNo AND UserName = @UserName",conn);
  
  SqlParameter sqlParameter = new SqlParameter[]{
    new SqlParameter("@UserNo",userNo),
    new SqlParameter("@UserName",userName)
  };
  cmd.Parameters.AddRange(sqlParameter);
  
  cmd.ExecuteNonQuery();
  
  
  return "1";
}
上一篇:SQLserver连接超时设置


下一篇:JDBC preparedStatement 完成增删改