Stu*_*art 1 c# asp.net parameters using
我正在使用using声明来验证客户编号.
using (SqlConnection connection = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString))
{
connection.Open();
using (SqlCommand cmdCheck = new SqlCommand("SELECT COUNT(CUSTOMER_NO) FROM WEBSITE_CUSTOMERS WHERE UPPER(CUSTOMER_NO) = '" + strCustomer.Trim().ToUpper() + "';", connection))
{
int nExists = (int)cmdCheck.ExecuteScalar();
if (nExists > 0)
return true;
else
return false;
}
}
这是先前通过stackoverflow告诉我的代码,用于检查先前存在的记录...它工作得很好,但我想知道是否有一种方法可以使用它的参数作为客户编号,因为这个变量是通过表单输入的,我想保护它免受注射.在这样cmdCheck的using语句中,我在哪里创建参数?
初始化命令后添加参数.一种方便的方法是AddWithValue:
const string sql = @"SELECT
COUNT(CUSTOMER_NO)
FROM
WEBSITE_CUSTOMERS
WHERE
UPPER(CUSTOMER_NO) = @CUSTOMER_NO;";
using (SqlConnection connection = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString))
{
using (SqlCommand cmdCheck = new SqlCommand(sql, connection))
{
cmdCheck.Parameters.AddWithValue("@CUSTOMER_NO", strCustomer.Trim().ToUpper());
connection.Open();
int nExists = (int)cmdCheck.ExecuteScalar();
return nExists > 0;
}
}
| 归档时间: |
|
| 查看次数: |
1258 次 |
| 最近记录: |