C#中SqlParameter的作用与用法
2014-12-11 16:34
435 查看
一般来说,在更新DataTable或是DataSet时,如果不采用SqlParameter,那么当输入的Sql语句出现歧义时,如字符串中含有单引号,程序就会发生错误,并且他人可以轻易地通过拼接Sql语句来进行注入攻击。
上述代码未采用SqlParameter,除了存在安全性问题,该方法还无法解决二进制流的更新,如图片文件。通过使用SqlParameter可以解决上述问题,常见的使用方法有两种,Add方法和AddRange方法。
一、Add方法
该方法每次只能添加一个SqlParameter。上述代码的功能是将ID值等于1的字段name更新为Pudding(人名)。
二、AddRange方法
显然,Add方法在添加多个SqlParameter时不方便,此时,可以采用AddRange方法。
下面是通过SqlParameter向数据库存储及读取图片的代码。
string sql
= "update
Table1 set name = 'Pudding' where ID = '1'";//未采用SqlParameter
SqlConnection
conn = new SqlConnection();
conn.ConnectionString
= "Data
Source=.\\SQLExpress;Integrated Security=true;AttachDbFilename=|DataDirectory|\\Database.mdf;User Instance=true";//连接字符串与数据库有关
SqlCommand
cmd = new SqlCommand(sql,
conn);
try
{
conn.Open();
return(cmd.ExecuteNonQuery());
}
catch (Exception)
{
return -1;
throw;
}
finally
{
conn.Close();
}上述代码未采用SqlParameter,除了存在安全性问题,该方法还无法解决二进制流的更新,如图片文件。通过使用SqlParameter可以解决上述问题,常见的使用方法有两种,Add方法和AddRange方法。
一、Add方法
<div class="cnblogs_Highlighter" style="font-family: verdana, Arial, Helvetica, sans-serif; margin: 0px; padding: 0px; border: 1px solid rgb(204, 204, 204); font-size: 13px; background-color: rgb(248, 248, 248);"><div style="margin: 0px; padding: 0px;"><div id="highlighter_476474" class="syntaxhighlighter csharp" style="padding: 0px; width: 1022px; margin: 1em 0px !important; position: relative !important; overflow: auto !important; font-size: 1em !important; background-color: rgb(255, 255, 255) !important;"><table border="0" cellpadding="0" cellspacing="0" style="border: 1px; width: 1022px; border-collapse: collapse; margin: 0px !important; padding: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; font-size: 12px !important; min-height: inherit !important;"><tbody style="margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; min-height: inherit !important;"><tr style="margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; min-height: inherit !important;"><td class="code" style="padding: 3px; border: 1px; width: 994px; border-collapse: collapse; margin: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important; word-break: normal !important;"><div class="container" style="margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: relative !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; min-height: inherit !important;"><div class="line number1 index0 alt2" style="margin: 0px !important; padding: 0px 1em !important; background-color: rgb(248, 248, 248) !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; min-height: inherit !important;"><code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">SqlParameter sp = </code><code class="csharp keyword" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important; color: rgb(0, 0, 255) !important;">new</code> <code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">SqlParameter(</code><code class="csharp string" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important; color: blue !important;">"@name"</code><code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">,</code><code class="csharp string" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important; color: blue !important;">"Pudding"</code><code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">);</code></div><div class="line number2 index1 alt1" style="margin: 0px !important; padding: 0px 1em !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; min-height: inherit !important;"><code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">cmd.Parameters.Add(sp);</code></div><div class="line number3 index2 alt2" style="margin: 0px !important; padding: 0px 1em !important; background-color: rgb(248, 248, 248) !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; min-height: inherit !important;"><code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">sp = </code><code class="csharp keyword" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important; color: rgb(0, 0, 255) !important;">new</code> <code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">SqlParameter(</code><code class="csharp string" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important; color: blue !important;">"@ID"</code><code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">,</code><code class="csharp string" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important; color: blue !important;">"1"</code><code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">);</code></div><div class="line number4 index3 alt1" style="margin: 0px !important; padding: 0px 1em !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; min-height: inherit !important;"><code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;">cmd.Parameters.Add(sp);</code></div><div><code class="csharp plain" style="white-space: pre-wrap; margin: 0px !important; padding: 0px !important; border: 0px !important; bottom: auto !important; float: none !important; height: auto !important; left: auto !important; line-height: 2em !important; outline: 0px !important; overflow: visible !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important; font-family: 'Courier New', Consolas, 'Bitstream Vera Sans Mono', Courier, monospace !important; min-height: inherit !important;"> </code></div></div></td></tr></tbody></table></div></div></div>
该方法每次只能添加一个SqlParameter。上述代码的功能是将ID值等于1的字段name更新为Pudding(人名)。
二、AddRange方法
SqlParameter[]
paras = new SqlParameter[]
{ new SqlParameter("@name","Pudding"),new SqlParameter("@ID","1")
};
cmd.Parameters.AddRange(paras);显然,Add方法在添加多个SqlParameter时不方便,此时,可以采用AddRange方法。
下面是通过SqlParameter向数据库存储及读取图片的代码。
public int SavePhoto(string photourl)
{
FileStream
fs = new FileStream(photourl,
FileMode.Open, FileAccess.Read);//创建FileStream对象,用于向BinaryReader写入字节数据流
BinaryReader
br = new BinaryReader(fs);//创建BinaryReader对象,用于写入下面的byte数组
byte[]
photo = br.ReadBytes((int)fs.Length);//新建byte数组,写入br中的数据
br.Close();//记得要关闭br
fs.Close();//还有fs
string sql
= "update
Table1 set photo = @photo where ID = '0'";
SqlConnection
conn = new SqlConnection();
conn.ConnectionString
= "Data
Source=.\\SQLExpress;Integrated Security=true;AttachDbFilename=|DataDirectory|\\Database.mdf;User Instance=true";
SqlCommand
cmd = new SqlCommand(sql,
conn);
SqlParameter
sp = new SqlParameter("@photo",
photo);
cmd.Parameters.Add(sp);
try
{
conn.Open();
return (cmd.ExecuteNonQuery());
}
catch (Exception)
{
return -1;
throw;
}
finally
{
conn.Close();
}
}
public void ReadPhoto(string url)
{
string sql
= "select
photo from Table1 where ID = '0'";
SqlConnection
conn = new SqlConnection();
conn.ConnectionString
= "Data
Source=.\\SQLExpress;Integrated Security=true;AttachDbFilename=|DataDirectory|\\Database.mdf;User Instance=true";
SqlCommand
cmd = new SqlCommand(sql,
conn);
try
{
conn.Open();
SqlDataReader
reader = cmd.ExecuteReader();//采用SqlDataReader的方法来读取数据
if (reader.Read())
{
byte[]
photo = reader[0] as byte[];//将第0列的数据写入byte数组
FileStream
fs = new FileStream(url,FileMode.CreateNew);创建FileStream对象,用于写入字节数据流
fs.Write(photo,0,photo.Length);//将byte数组中的数据写入fs
fs.Close();//关闭fs
}
reader.Close();//关闭reader
}
catch (Exception
ex)
{
throw;
}
finally
{
conn.Close();
} }}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- C#中SqlParameter的作用与用法
- C#中SqlParameter的作用与用法
- C#中SqlParameter的作用与用法
- 详解C#中SqlParameter的作用与用法
- SqlParameter的作用与用法
- SqlParameter的作用与用法
- [C#]ADO.NET #3 (GridView + SqlDataSource)完全手写、后置程序代码,兼论 SqlDataSource与UpdateParameter/DeleteParameter的用法
- SqlParameter的作用与用法
- SqlParameter的作用与用法
- SqlParameter的作用与用法
- SqlParameter的作用与用法
- SqlParameter的作用与用法
- C#中操作Oracle时的SQL语句参数的用法
- C#中using关键字的作用及用法
- sql over的作用及用法
- 【转】C#中using关键字的作用及用法
- C#中using关键字的作用及其用法
- c# param的作用和用法
- C# using作用透析 三种用法不用愁
- c# 泛型List的定义、作用、用法