作用
解決惡意的T-sql語句攻擊第一種
//傳入參數 string ProductGroupCode, string Ismaintain, int HierarchyID, string BOMName,string BOMCode, string BOMType, int BOPStepType, int PageIndex, int PageSize, out int TotalCount
public static DataTable GetBOPStepByBOM(string ProductGroupCode, string Ismaintain, int HierarchyID, string BOMName,string BOMCode, string BOMType, int BOPStepType, int PageIndex, int PageSize, out int TotalCount) { SqlParameter[] parameters = { new SqlParameter("@ProductGroupCode", SqlDbType.VarChar), //自定義參數 與參數類型 new SqlParameter("@Ismaintain", SqlDbType.VarChar), new SqlParameter("@HierarchyID", SqlDbType.Int), new SqlParameter("@BOMName", SqlDbType.VarChar), new SqlParameter("@BOMType", SqlDbType.VarChar), new SqlParameter("@BOPStepType", SqlDbType.Int), new SqlParameter("@PageIndex", SqlDbType.Int), new SqlParameter("@PageSize", SqlDbType.Int), new SqlParameter("@TotalCount", SqlDbType.Int), new SqlParameter("@BOMCode", SqlDbType.VarChar), }; parameters[0].Value = ProductGroupCode; //給參數賦值 parameters[1].Value = Ismaintain; parameters[2].Value = HierarchyID; parameters[3].Value = BOMName; parameters[4].Value = BOMType; parameters[5].Value = BOPStepType; parameters[6].Value = PageIndex; parameters[7].Value = PageSize; parameters[8].Direction = ParameterDirection.Output; parameters[9].Value = BOMCode; SqlDataAccess sqlDataAccess = SqlDataAccess.CreateDataAccess(); //自定義幫助類 主要作用 開始 執行 關閉 ADO.net DataSet result = sqlDataAccess.ExecuteDataSet("up_BasicInfo_GetBOPStepListByBOM", parameters); //這里執行的是存儲過程 並接收返回值 TotalCount = parameters[8].Value == DBNull.Value ? default(int) : (int)parameters[8].Value; return result.Tables[0]; //最終返回執行結果 }
第二種
public static int InsertOrderCause(string productGroupCode, int customerBelongTo, int salesTypeID, string orderCauseList) { int ret = 0; SqlParameter[] paras = { new SqlParameter("@ProductGroupCode",productGroupCode), //不聲明變量類型 直接進行復制 new SqlParameter("@CustomerBelongTo",customerBelongTo), new SqlParameter("@SalesTypeID",salesTypeID), new SqlParameter("@OrderCauseList",orderCauseList) }; SqlDataAccess sqlDataAccess = SqlDataAccess.CreateDataAccess(); ret = sqlDataAccess.ExecuteNonQuery("up_BasicInfo_InsertOrderCause", paras); return ret; }