SqlParameter 實現資料庫的插入操作，防止sql注入。

今天學習了一下SqlParameter的用法，原來這麼寫是為了防止sql注入，破壞資料庫的。並自己動手串連了資料庫。

例子：  點擊Button1按鈕的時候就把資料插入資料庫中。

using System;using System.Collections.Generic;using System.Linq;using System.Web;using System.Web.UI;using System.Web.UI.WebControls;using System.Text;using System.Data.SqlClient;using System.Data;using System.Configuration;namespace ParaMeter{    public partial class Test : System.Web.UI.Page    {        private string connectionStr;  //連結資料庫的字串         private SqlConnection conDB;   //資料庫的連結        private SqlTransaction _trans; //事務對象              protected void Page_Load(object sender, EventArgs e)        {            //connectionStr = ConfigurationSettings.AppSettings["constr"];            connectionStr = "server=10.11.43.189\\SQL2008;database=OA_WEB_DB;uid=sa;pwd=123456";            conDB = new SqlConnection(connectionStr);        }        protected void Button1_Click(object sender, EventArgs e)        {            StringBuilder strSql = new StringBuilder();            strSql.Append("INSERT INTO [OA_WEB_DB].[dbo].[OA_RT_FileType]([FileTypeName],[Deleted])");            strSql.Append("VALUES(@fileName,@delete)");            SqlParameter[] parameters = {                                 new SqlParameter("@fileName", SqlDbType.NVarChar,100),                                 new SqlParameter("@delete",SqlDbType.Bit),                             };            parameters[0].Value = "檔案類型";            parameters[1].Value = false;          bool IsSucc =   ExecUpdateSql(strSql.ToString(), parameters);          if (IsSucc)          {             Label1.Text =  "插入成功";          }          else          {              Label1.Text = "插入失敗";          }        }        /// 執行一條更新語句        /// </summary>        /// <param name="SQLString">需要執行的SQL語句。</param>        /// <param name="cmdParms">執行參數數組</param>        /// <returns>成功返回True，失敗返回False。</returns>        private bool ExecUpdateSql(string SQLString, params SqlParameter[] cmdParms)        {            using (SqlCommand cmd = new SqlCommand())            {                try                {                    PrepareCommand(cmd, conDB, _trans, SQLString, cmdParms);                    int iret = cmd.ExecuteNonQuery();                    return true;                }                catch (System.Data.SqlClient.SqlException e)                {                    return false;                }            }        }        private void PrepareCommand(SqlCommand cmd, SqlConnection conn, SqlTransaction trans, string cmdText, SqlParameter[] cmdParms)        {            if (conn.State != ConnectionState.Open)                conn.Open();            cmd.Connection = conn;            cmd.CommandText = cmdText;            if (trans != null)                cmd.Transaction = trans;            cmd.CommandType = CommandType.Text;//cmdType;            if (cmdParms != null)            {                foreach (SqlParameter parameter in cmdParms)                {                    if ((parameter.Direction == ParameterDirection.InputOutput || parameter.Direction == ParameterDirection.Input) &&                        (parameter.Value == null))                    {                        parameter.Value = DBNull.Value;                    }                    cmd.Parameters.Add(parameter);                }            }        }    }}