Why do you parameterize the execution of SQL statements?
One effect is to prevent users from injecting vulnerabilities.
Simply give a column.
such as account password login, if not parameters,
Write it simple, just write the data from the database to the ID and PW as the user input.
Sql:select id,pw where id= ' inputID ' and pw= ' INPUTPW ';
The general situation is not a problem, but if the user entered the ID or PW band ', it is possible to have a vulnerability, a bug
For example, the user input ID is: 1 ' or ' 1 ' = ' 1
This is the SQL statement performed by: Select ID,PW where id= ' 1 ' or ' 1 ' = ' 1 ' and pw= ' INPUTPW ';
All the account codes in the database are eligible for this condition.
In short, users can change the execution of your SQL by '.
Parameterization can avoid this problem.
/************************ Non-query operation *****************************************///today is too late, first write a non-query operation, tomorrow in the write query operation. /** * * * function*/ /// <summary> ///Delete and change the data, return the number of rows affected, no then return-1/// </summary> /// <param name= "SQL" >SQL statements</param> /// <param name= "PS" >Parameters</param> /// <returns>returns the number of affected rows</returns> Static stringConnStr ="Server=ip; User id= account name; password= password; database= table name"; Public Static intExecuteNonQuery (stringSqlparamsmysqlparameter[] PS) { using(Mysqlconnection conn =Newmysqlconnection (CONNSTR)) { using(Mysqlcommand cmd =Newmysqlcommand (SQL, conn)) {cmd. Parameters.addrange (PS); Conn. Open (); returnCmd. ExecuteNonQuery ();//returns the number of rows affected } } } /** * * Application Example * * **/ Public voidInsertData () {intCid=1, aid=2; stringName="HHA"; stringsql ="INSERT INTO Tb_compart (Compartid,compartname,areaid) VALUES (@compartID, @compartName, @areaID);"; Mysqlparameter[] PS={NewMysqlparameter ("@compartID",(Object) CID),NewMysqlparameter ("@compartName", name),NewMysqlparameter ("@areaID",(Object) (aid)}; intr = Mysql.MySQLHelper.ExecuteNonQuery (SQL, PS);//The value of R is the number of rows affected, execution failure r=-1; } }
C # Parameterized execution of SQL statements to prevent vulnerability attacks this article takes MySQL as an example of "20151108 Non-query operation"