Asp.net anti-Injection Attack

There are many ways to prevent SQL injection attacks on the Internet. I used to pass the value in the form of parameters. RelatedCodeAs follows:

 

/// <Summary>
/// Execution Parameters
/// </Summary>
/// <Param name = "assql"> SQL statement </Param>
/// <Param name = "aspllist"> Parameter List </Param>
Public   Static   Void Executedmlparametersql ( String Assql, sttsqlparameterlist [] aspllist)
{
Sconnectionstring = Configurationmanager. configurettings. Get ( " Userconnection " );
Oracleconnection occonnection =   New Oracleconnection (sconnectionstring );
Occonnection. open ();
Oraclecommand occommand = Occonnection. createcommand ();
Occommand. commandtype = Commandtype. text;
Occommand. commandtext = Assql;
For ( Int I =   0 ; I < Aspllist. length; I ++ )
{
Oracleparameter opname =   New Oracleparameter ();
Opname. parametername = Aspllist [I]. Name;
Switch (Aspllist [I]. type)
{
Case   " String " :
Opname. oracletype = Oracletype. varchar;
Break ;
Default :
Opname. oracletype = Oracletype. varchar;
Break ;
}
Opname. Value = Aspllist [I]. value;
Occommand. Parameters. Add (opname );
}
Int Iresult = ( Int ) Occommand. executenonquery ();
Occommand. Dispose ();
Occonnection. Close ();
Occonnection. Dispose ();
}

///   <Summary>
/// Parameter structure, used to execute parameter statements
///   </Summary>
Public   Struct Sttsqlparameterlist
{
Private   String Sname;
Private   String Stype;
Private   String Svalue;

///   <Summary>
/// Constructor (initialization value)
///   </Summary>
///   <Param name = "asname">Parameter Name</Param>
///   <Param name = "astype">Parameter type (currently only for string type values)</Param>
///   <Param name = "asvalue">Parameter Value</Param>
Public Sttsqlparameterlist ( String Asname, String Astype, String Asvalue)
{
Sname = Asname;
Stype = Astype;
Svalue = Asvalue;
}

///   <Summary>
/// Parameter Name (same as the parameter name in the SQL statement, but not the: Number)
///   </Summary>
Public   String Name
{
Get
{
Return Sname;
}
Set
{
Sname = Value;
}
}

///   <Summary>
/// Parameter type (this parameter currently only accepts string type)
///   </Summary>
Public   String Type
{
Get
{
Return Stype;
}
Set
{
Stype = Value;
}
}

///   <Summary>
/// Parameter value, which corresponds to the parameter type
///   </Summary>
Public   String Value
{
Get
{
Return Svalue;
}
Set
{
Svalue = Value;
}
}
}

The call method is as follows:

  String Ssql =   " Update hp_requirement "
+   " Set rqtguage = 16, rqtupdatedate = to_date ('{1}', 'yyyy. Mm. dd '), "
+   " Rqtcheckerid = {2 }, "
+   " Rqtcheckerempid = '{3 }', "
+   " Rqtdevelopexplain =: checkerexplain, "   // Checkerexplain is the parameter name, which corresponds to the name in the parameter list
+   " Rqtanalysthour = {4 }, "
+   " Rqtdevelopworkload = {5 }, "
+   " Rqttesthour = {6 }, "
+   " Rqttoalhour = {7} "
+   " Where rqtid = '{0 }' " ;
Ssql =   String . Format (ssql, smainid, supdatedate, scheckerid, scheckerempid, sanalysthour, sworkload, stesthour, stotalhour );

// Assign Parameters (There is only one parameter here)
Sttsqlparameterlist [] sptlist =   New Sttsqlparameterlist [ 1 ];
Sptlist [ 0 ]. Name =   " Checkerexplain " ;
Sptlist [ 0 ]. Type =   " String " ;
Sptlist [ 0 ]. Value = Scheckerexplain;
Clshpdbmanage. executedmlparametersql (ssql, sptlist );