以下是自己在VS2010平台上,參考網上的方法開發Oracle連接程序,其中引入了參數化輸入來防止SQL注入式攻擊
#region
//Oracle 連接字符串
string con = "Data Source=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=orcl)));User Id=system;Password=password;";
//防止SQL注入式攻擊
StringBuilder ap = new StringBuilder();
ap.Append("select * from T_User where U_ID=:UserName and U_PASSWORD=:UserPassword ");
OracleConnection mycon = new OracleConnection();
mycon.ConnectionString = con;
try
{
mycon.Open();
OracleCommand cmd = new OracleCommand();
cmd.CommandText = ap.ToString();
cmd.Connection = mycon;
OracleParameter para = new OracleParameter("UserName", OracleType.VarChar, 50);
para.Value = UserName;
cmd.Parameters.Add(para);
OracleParameter para1 = new OracleParameter("UserPassword", OracleType.VarChar, 50);
para1.Value = UserPassword;
cmd.Parameters.Add(para1);
OracleDataReader da = cmd.ExecuteReader();
if (da.Read()) //說明存在該用戶名且密碼正確
{
result = true;
}
if (false == da.IsClosed)// 判斷SqlDataReader對象創建的連接是否關閉
{
da.Close();//關閉SqlDataReader對象的連接
}
da.Dispose();//釋放SqlDataReader對象的資源
}
catch (OracleException ex)
{
MessageBox.Show(ex.ToString(), "信息提示", MessageBoxButtons.OK, MessageBoxIcon.Error);
this.Close();//軟件異常,退出
}
//關閉連接並釋放資源
if (ConnectionState.Open == mycon.State)
{
mycon.Close();
}
mycon.Dispose();
#endregion