var strSQL = "INSERT into Staff_answer (Examtitleid,questionsid,multiplechoice,rightoption,answeroption,isright, Score,staffscore,remark,state,creator,creatorg,createtime) values ";
strSQL + = "(@ExamTitleID, @QuestionsID, @MultipleChoice, @RightOption, @AnswerOption, @IsRight, @Score, @StaffScore, @ Remark, @State, @Creator, @CreatOrg, @CreateTime) ";
var cmd = new SqlCommand (strSQL);
var param = new sqlparameter[] {
New SqlParameter ("@ExamTitleID", Sqldbtype.uniqueidentifier),
New SqlParameter ("@QuestionsID", Sqldbtype.uniqueidentifier),
New SqlParameter ("@MultipleChoice", sqldbtype.nvarchar,2),
New SqlParameter ("@RightOption", sqldbtype.nvarchar,200),
New SqlParameter ("@AnswerOption", sqldbtype.nvarchar,200),
New SqlParameter ("@IsRight", sqldbtype.nvarchar,2),
New SqlParameter ("@Score", sqldbtype.decimal,18),
New SqlParameter ("@StaffScore", sqldbtype.decimal,18),
New SqlParameter ("@Remark", Sqldbtype.text),
New SqlParameter ("@State", sqldbtype.nvarchar,2),
New SqlParameter ("@Creator", sqldbtype.nvarchar,200),
New SqlParameter ("@CreatOrg", sqldbtype.nvarchar,200),
New SqlParameter ("@CreateTime", sqldbtype.nvarchar,200)
};
Param[0]. Value = new Guid (this. Examtitlecode.value);
PARAM[1]. Value = new Guid (QUESTIONSID);
PARAM[2]. Value = anserdt.rows[0]["Multiplechoice"]. ToString ();
PARAM[3]. Value = rightoption;
PARAM[4]. Value = answeroption;
PARAM[5]. Value = Isright? "1": "0";
PARAM[6]. Value = Convert.ToInt32 (question.rows[0]["score"]);
PARAM[7]. Value = Isright? Convert.ToInt32 (question.rows[0]["Score"]): 0;
PARAM[8]. Value = this. Remark.innertext;
PARAM[9]. Value = "1";
PARAM[10]. Value = userid;
PARAM[11]. Value = Orgname1;
PARAM[12]. Value = DateTime.Now;
foreach (SqlParameter para in param)
{
Cmd. Parameters.Add (para);
}
Helps. Getexecutenonquerybysqlpa (CMD);
SQL Prevention Injection