分类:
NET
防止sql 注入的,简单参数化写法
public bool Login(string _username, string _password) { using (SqlConnection conn = new SqlConnection("server=.;uid=sa;pwd=123456;database=test")) { conn.Open(); string sql = "select 1 from Users where UserName=@username and Number=@number"; //参数化 using (SqlCommand com = new SqlCommand(sql, conn)) { //给username提供参数 SqlParameter sp = new SqlParameter("username",_username); com.Parameters.Add(sp); //给密码提供参数 SqlParameter password_sp = new SqlParameter("number", _password); com.Parameters.Add(password_sp); SqlDataReader reader = com.ExecuteReader(); if (reader.Read()) return true; else return false; } } }
评价