SqlParameter类——带参数的SQL语句

本文介绍了如何使用SqlParameter类来安全地向SQL命令中添加参数,并提供了具体的实例代码,包括插入和更新操作。通过SqlParameter可以有效地避免SQL注入攻击。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

SqlParameter 类<wbr></wbr>

<wbr><p>表示 SqlCommand 的参数,也可以是它到 DataSet 列的映射。无法继承此类。</p> <p>命名空间: <wbr><wbr>System.Data.SqlClient</wbr></wbr></p> <p>程序集: <wbr><wbr>System.Data(在 System.Data.dll 中)<wbr></wbr></wbr></wbr></p> <wbr><p><strong>举例1</strong></p> <p><wbr><wbr><wbr><wbr><wbr>string strconn = "Data Source=xxx;user id=sa;pwd=;initial catalog=gltest";<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> SqlConnection Conn = new SqlConnection(strconn);<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> Conn.Open();</wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></p> <p><wbr><wbr><wbr><wbr>// 声明参数<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> string sql = "insert into users(name,pwd) values <strong>(@name,@pwd)<a href="mailto:%22;%0b%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20SqlCommand%20cmd%20=%20new%20SqlCommand(sql,%20Conn);%0d%C2%A0%0d%C2%A0%C2%A0%C2%A0%C2%A0//%20%E6%B7%BB%E5%8A%A0%E5%8F%82%E6%95%B0%0b%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20cmd.Parameters.Add(new%20SqlParameter(%22@name">";<br> SqlCommand cmd = new SqlCommand(sql, Conn);</a></strong></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></p> <p><a href="mailto:%22;%0b%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20SqlCommand%20cmd%20=%20new%20SqlCommand(sql,%20Conn);%0d%C2%A0%0d%C2%A0%C2%A0%C2%A0%C2%A0//%20%E6%B7%BB%E5%8A%A0%E5%8F%82%E6%95%B0%0b%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20cmd.Parameters.Add(new%20SqlParameter(%22@name"></a></p> <p><a href="mailto:%22;%0b%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20SqlCommand%20cmd%20=%20new%20SqlCommand(sql,%20Conn);%0d%C2%A0%0d%C2%A0%C2%A0%C2%A0%C2%A0//%20%E6%B7%BB%E5%8A%A0%E5%8F%82%E6%95%B0%0b%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20cmd.Parameters.Add(new%20SqlParameter(%22@name">// 添加参数<br> cmd.Parameters.Add(new SqlParameter("@name</a><strong>", SqlDbType.NVarChar, 50));<br><strong><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>cmd.Parameters.Add(new SqlParameter("@pwd", SqlDbType.NVarChar, 50));</wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></strong></strong></p> <p><wbr></wbr></p> <p><wbr><wbr><wbr> //<wbr>为参数赋值<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><strong> cmd.Parameters["@name"].Value = this.TextBox1.Text;<br><strong><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>cmd.Parameters["@pwd"].Value = this.TextBox2.Text;</wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></strong></strong></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></p> <p><strong><br></strong><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> cmd.ExecuteNonQuery();<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> Conn.Close();<wbr><wbr><wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></p> <p><wbr></wbr></p> <p>comm.Parameters.Add()添加参数到参数集即(添加参数列表),add里面的第一个参数是要添加的参数名,第二个参数是参数的数据类型Parameters的作用就是把存储过程执行结束后得到的参数传到程序里。</p> <p>第一个是参数名,第二个是参数类型,第三个是长度</p> <p><wbr></wbr></p> <p><strong>举例二:</strong></p> <p><wbr><wbr><wbr> /// &lt;summary&gt;<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr> /// 更新一条数据<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr> /// &lt;/summary&gt;<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr> public bool Update(Model.MonitoringPointsStatusIn<wbr>fo model)<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr> {<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> StringBuilder strSql = new StringBuilder();<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> strSql.Append("update TB_MonitoringPointsStatus set ");<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> strSql.Append("<a href="mailto:PointID=@PointID">PointID=@PointID</a>,");<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> strSql.Append("<a href="mailto:PointName=@PointName">PointName=@PointName</a>,");<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> strSql.Append("<a href="mailto:Date=@Date">Date=@Date</a>,");<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> strSql.Append("<a href="mailto:DangerousLevel=@DangerousLevel">DangerousLevel=@DangerousLevel</a>,");<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> strSql.Append("<a href="mailto:IsUpload=@IsUpload">IsUpload=@IsUpload</a>,");<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> strSql.Append("<a href="mailto:IsCheck=@IsCheck">IsCheck=@IsCheck</a>,");<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> strSql.Append("<a href="mailto:IsSafe=@IsSafe">IsSafe=@IsSafe</a>,");<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> strSql.Append("<a href="mailto:CycleTime=@CycleTime">CycleTime=@CycleTime</a>,");<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> strSql.Append("<a href="mailto:ColumnValue=@ColumnValue">ColumnValue=@ColumnValue</a>,");<br><br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> strSql.Append("<a href="mailto:IsApproval=@IsApproval">IsApproval=@IsApproval</a>,");<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> strSql.Append("<a href="mailto:CheckUser=@CheckUser">CheckUser=@CheckUser</a>,");<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> strSql.Append("<a href="mailto:CheckRealName=@CheckRealName">CheckRealName=@CheckRealName</a>,");<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> strSql.Append("<a href="mailto:Note=@Note">Note=@Note</a>");</wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></p> <p><wbr><wbr><wbr><wbr><wbr><wbr><wbr> strSql.Append(" where <a href="mailto:ID=@ID"> ID=@ID</a>");<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> SqlParameter[] parameters = {<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> new SqlParameter("@ID", SqlDbType.Int,4),<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> new SqlParameter("@PointID", SqlDbType.Int,4),<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> new SqlParameter("@PointName", SqlDbType.NVarChar,50),<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>new SqlParameter("@Date", SqlDbType.DateTime),<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> new SqlParameter("@DangerousLevel", SqlDbType.Char,1),<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> new SqlParameter("@IsUpload", SqlDbType.Bit,1),<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> new SqlParameter("@IsCheck", SqlDbType.Bit,1),<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> new SqlParameter("@CycleTime",SqlDbType.Char,12),<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> new SqlParameter("@IsSafe", SqlDbType.Bit,1),<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></p></wbr></wbr>
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值