Oracle防sql注入的方法:
public JsonResult Query(string data)
{
OracleParameter:
//定义sql语句
string sql =“SELECT * FROM TABLE ”;
//定义条件
string where = " 1=1";
List<OracleParameter> paList = new List<OracleParameter>();
where += " AND BILL_NO=:BILL_NO";
OracleParameter p = new OracleParameter(":BILL_NO", BILL_NO);
paList.Add(p);
OracleParameter[] paras = paList.ToArray();
//查询方法
DataSet ds = DbHelperOra.Query(sql, paras);
}
// DbHelperOra:数据访问基础类(基于Oracle) 用户可以修改满足自己项目的需要。
//数据库连接字符串(web.config来配置),可以动态更改connectionString支持多数据库.
public static string connectionString = ConfigurationManager.ConnectionStrings["ConnectionHK"].ToString();
// 执行查询语句,返回DataSet
public static DataSet Query(string SQLString,params OracleParameter[] cmdParms)
{
LoggerHelper.waitLog(SQLString, cmdParms, "select");
using (OracleConnection connection = new OracleConnection(connectionString))//connectionString
{
OracleCommand cmd = new OracleCommand();
PrepareCommand(cmd, connection, null,SQLString, cmdParms);
using( OracleDataAdapter da = new OracleDataAdapter(cmd) )
{
DataSet ds = new DataSet();
try
{
da.Fill(ds,"ds");
cmd.Parameters.Clear();
}
catch(System.Data.OracleClient.OracleException ex)
{
LoggerHelper.waitLog(ex.Message + SQLString, null, "Error");
throw new Exception(ex.Message);
}
return ds;
}
}
}
private static void PrepareCommand(OracleCommand cmd,OracleConnection conn,OracleTransaction trans, string cmdText, OracleParameter[] cmdParms)
{
if (conn.State != ConnectionState.Open)//ConnectionState(枚举):描述与数据源的连接的当前状态。
conn.Open();
cmd.Connection = conn;
cmd.CommandText = cmdText;
if (trans != null)
cmd.Transaction = trans;
cmd.CommandType = CommandType.Text;//cmdType;CommandType(枚举)指定如何解释命令字符串。
if (cmdParms != null)
{
foreach (OracleParameter parm in cmdParms)
cmd.Parameters.Add(parm);
}
}