分类:
NET
防止sql 注入的,简单参数化写法
public bool Login(string _username, string _password)
{
using (SqlConnection conn = new SqlConnection("server=.;uid=sa;pwd=123456;database=test"))
{
conn.Open();
string sql = "select 1 from Users where UserName=@username and Number=@number";
//参数化
using (SqlCommand com = new SqlCommand(sql, conn))
{
//给username提供参数
SqlParameter sp = new SqlParameter("username",_username);
com.Parameters.Add(sp);
//给密码提供参数
SqlParameter password_sp = new SqlParameter("number", _password);
com.Parameters.Add(password_sp);
SqlDataReader reader = com.ExecuteReader();
if (reader.Read())
return true;
else
return false;
}
}
}评价
