SQL Injection and insert prevention
1 var strsql = "insert into Staff_Answer (ExamTitleID, QuestionsID, MultipleChoice, RightOption, AnswerOption, IsRight, Score, StaffScore, Remark, State, Creator, CreatOrg, CreateTime) values "; 2 strsql + = "(@ ExamTitleID, @ QuestionsID, @ MultipleChoice, @ RightOption, @ AnswerOption, @ IsRight, @ Score, @ StaffScore, @ Remark, @ State, @ Creator, @ CreatOrg, @ CreateTime) "; 3 var cmd = new SqlCommand (strsql); 4 var param = new SqlPa Rameter [] {5 new SqlParameter ("@ ExamTitleID", SqlDbType. uniqueIdentifier), 6 new SqlParameter ("@ QuestionsID", SqlDbType. uniqueIdentifier), 7 new SqlParameter ("@ MultipleChoice", SqlDbType. NVarChar, 2), 8 new SqlParameter ("@ RightOption", SqlDbType. NVarChar, 200), 9 new SqlParameter ("@ AnswerOption", SqlDbType. NVarChar, 200), 10 new SqlParameter ("@ IsRight", SqlDbType. NVarChar, 2), 11 new SqlParameter ("@ Score", Sq LDbType. decimal, 18), 12 new SqlParameter ("@ StaffScore", SqlDbType. decimal, 18), 13 new SqlParameter ("@ Remark", SqlDbType. text), 14 new SqlParameter ("@ State", SqlDbType. NVarChar, 2), 15 new SqlParameter ("@ Creator", SqlDbType. NVarChar, 200), 16 new SqlParameter ("@ CreatOrg", SqlDbType. NVarChar, 200), 17 new SqlParameter ("@ CreateTime", SqlDbType. NVarChar, 200) 18}; 19 20 21 param [0]. value = new Guid (this. examTitleCode. Value); 22 param [1]. value = new Guid (QuestionsID); 23 param [2]. value = Anserdt. rows [0] ["MultipleChoice"]. toString (); 24 param [3]. value = RightOption; 25 param [4]. value = AnswerOption; 26 param [5]. value = ISRight? "1": "0"; 27 param [6]. value = Convert. toInt32 (Question. rows [0] ["Score"]); 28 param [7]. value = ISRight? Convert. toInt32 (Question. rows [0] ["Score"]): 0; 29 param [8]. value = this. remark. innerText; 30 param [9]. value = "1"; 31 param [10]. value = userid; 32 param [11]. value = Orgname1; 33 param [12]. value = DateTime. now; 34 35 foreach (SqlParameter para in param) 36 {37 cmd. parameters. add (para); 38} 39 helps. getExecuteNonQueryBySqlPa (cmd); 40}View Code
Thank you for your feedback.