[英]Passing parameters to stored procedure for an UPDATE
我一直試圖轉換為使用SQL Server中的存儲過程來執行我們的CRUD。 在我后面的代碼中,這就是將參數傳遞給SqlHelper
類的方式(如果您也需要將其發布,請告訴我)。 但這會阻止SQL注入嗎? 有沒有更好的方法來通過這些? 我還在下面粘貼了存儲過程以進行更新。 任何建議,以改善這一點,將不勝感激!
protected void UpdateRecord()
{
var connectionString = ConfigurationManager.ConnectionStrings["myConnectionString"].ToString();
SqlParameter[] sqlParam = new SqlParameter[19];
sqlParam[0] = new SqlParameter("@empfk", empno.Text);
sqlParam[1] = new SqlParameter("@prescriptpk", TxtPK.Text);
sqlParam[2] = new SqlParameter("@date", TxtDate.Text);
sqlParam[3] = new SqlParameter("@arcfk", DDLFullName.SelectedValue);
sqlParam[4] = new SqlParameter("@OT", chkOT.Checked);
sqlParam[5] = new SqlParameter("@PT", chkPT.Checked);
sqlParam[6] = new SqlParameter("@PS", chkPS.Checked);
sqlParam[7] = new SqlParameter("@SA", chkSA.Checked);
sqlParam[8] = new SqlParameter("@EC", chkEC.Checked);
sqlParam[9] = new SqlParameter("@NC", chkNC.Checked);
sqlParam[10] = new SqlParameter("@reason", DDLReason.SelectedValue);
sqlParam[11] = new SqlParameter("@sentto", TxtSentTo.Text);
sqlParam[12] = new SqlParameter("@sentvia", DDLSentVia.SelectedValue);
sqlParam[13] = new SqlParameter("@datereceived", TxtDateRec.Text);
sqlParam[14] = new SqlParameter("@datesigned", txtDateSigned.Text);
sqlParam[15] = new SqlParameter("@comments", txtComments.Text);
sqlParam[16] = new SqlParameter("@effbeg", TxtEffBeg.Text);
sqlParam[17] = new SqlParameter("@effend", TxtEffEnd.Text);
sqlParam[18] = new SqlParameter("@documentation", txtDocumentation.Text);
sqlhelper.SqlHelper.ExecuteNonQuery(connectionString, CommandType.StoredProcedure, "prescriptions_Update", sqlParam);
GridView1.DataBind();
}
這是存儲過程:
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
ALTER PROCEDURE [dbo].[prescriptions_Update]
(@prescriptpk int, @date date, @arcfk int, @OT bit,
@PT bit, @PS bit, @SA bit, @EC bit, @NC bit,
@reason varchar(30), @sentto varchar(40),
@sentvia char(10), @datereceived date, @datesigned date,
@comments varchar(max), @effbeg date, @effend date,
@documentation varchar(max) )
AS
BEGIN
SET NOCOUNT ON;
UPDATE [Support].[dbo].[prescriptions]
SET [date] = @date, arcfk = @arcfk, OT = @OT, PT = @PT, PS = @PS,
SA = @SA, EC = @EC, NC = @NC, reason = @reason, sentto = @sentto,
sentvia = @sentvia, datereceived = @datereceived,
datesigned = @datesigned, comments = @comments, effbeg = @effbeg,
effend = @effend, documentation = @documentation
WHERE
prescriptpk = @prescriptpk
END
GO
Microsoft有一篇文章,您可以在這里閱讀。 它遍歷了防止SQL注入所需執行的操作。
但是本文的摘要是您需要使用SqlCommand
和AddWithValue
。
嘗試這個
private static SqlConnection _Connection = new SqlConnection();
private static SqlCommand _Command = new SqlCommand();
private static SqlConnection _Conn = new SqlConnection();
private static SqlConnection GetConnection()
{
try
{
if (_Connection.State == ConnectionState.Closed)
{
_Connection.ConnectionString = "ConnectionString";
_Connection.Open();
}
return _Connection;
}
catch (Exception ex)
{
throw ex;
}
}
public static void UpdateData(params object[] ParamValue)
{
try
{
_Conn = GetConnection();
_Command.Connection = _Conn;
_Command.CommandTimeout = 0;
_Command.CommandType = CommandType.StoredProcedure;
_Command.CommandText = "updateprocedure";
_Command.Parameters.Clear();
_Command.Parameters.Add("@Paramname1", SqlDbType.Int).Value = ParamValue[0];
_Command.Parameters.Add("@Paramname2", SqlDbType.Int).Value = ParamValue[1];
_Command.Parameters.Add("@Paramname3", SqlDbType.Int).Value = ParamValue[2];
_Command.ExecuteNonQuery();
}
catch (Exception ex)
{
throw ex;
}
finally
{
CloseConnection();
}
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.