我有以下网址: http://localhost:52416/Controls/Support_Survey.aspx?GUID=4aa4caca-f5cb-11e2-b582-635fb56c00b9
我需要从URL获取GUID作为变量,并将其传递给以下存储过程:
database.InsertUpdate(String.Format("CALL spSurveyAnswer_Insert('{0}', '{1}','{2}');", selectValue1, txtFeedBack.Text, PassGUID_HERE));
有什么想法吗?
提前致谢
以下是我建议你这样做的方法:
var requestGuid = Request.Params["GUID"];
if (string.IsNullOrEmpty(requestGuid))
{
throw new InvalidOperationException("The request GUID is missing from the URL");
}
Guid guid;
if (!Guid.TryParse(requestGuid, out guid))
{
throw new InvalidOperationException("The request GUID in the URL is not correctly formatted");
}
using(var connection = new SqlConnection("connection_string"))
{
using(var command = new SqlCommand("spSurveyAnswer_Insert", connection))
{
command.CommandType = CommandType.StoredProcedure;
command.Parameters.AddWithValue("firstParamName", selectValue1);
command.Parameters.AddWithValue("feedbackParamName", txtFeedBack.Text);
command.Parameters.AddWithValue("guidParamName", guid);
command.Connection.Open();
command.ExecuteNonQuery();
}
}
您不能保证GUID将在URL中或是有效的GUID,所以要防御并检查两者!然后使用参数化查询来帮助防止SQL注入 - 因为您正在调用存储过程,如果您滥用proc中的参数值,您仍然可以使用sql注入,因此您也需要仔细编写.最后,还要妥善处理一次性资源.