2023年6月21日发(作者:)
详解C#中SqlParameter的作⽤与⽤法⼀般来说,在更新DataTable或是DataSet时,如果不采⽤SqlParameter,那么当输⼊的Sql语句出现歧义时,如字符串中含有单引号,程序就会发⽣错误,并且他⼈可以轻易地通过拼接Sql语句来进⾏注⼊攻击。string sql = "update Table1 set name = 'Pudding' where ID = '1'";//未采⽤SqlParameterSqlConnection conn = new SqlConnection();tionString = "Data Source=.SQLExpress;Integrated Security=true;AttachDbFilename=|DataDirectory|;User Instance=true";//连接字符串与数据库有关SqlCommand cmd = new SqlCommand(sql, conn);try{ (); return(eNonQuery());}catch (Exception){ return -1; throw;}finally{ ();}上述代码未采⽤SqlParameter,除了存在安全性问题,该⽅法还⽆法解决⼆进制流的更新,如图⽚⽂件。通过使⽤SqlParameter可以解决上述问题,常见的使⽤⽅法有两种,Add⽅法和AddRange⽅法。⼀、Add⽅法SqlParameter sp = new SqlParameter("@name","Pudding");(sp);sp = new SqlParameter("@ID","1");(sp);该⽅法每次只能添加⼀个SqlParameter。上述代码的功能是将ID值等于1的字段name更新为Pudding(⼈名)。⼆、AddRange⽅法SqlParameter[] paras = new SqlParameter[] { new SqlParameter("@name","Pudding"),new SqlParameter("@ID","1") };ge(paras);显然,Add⽅法在添加多个SqlParameter时不⽅便,此时,可以采⽤AddRange⽅法。下⾯是通过SqlParameter向数据库存储及读取图⽚的代码。public int SavePhoto(string photourl){ FileStream fs = new FileStream(photourl, , );//创建FileStream对象,⽤于向BinaryReader写⼊字节数据流 BinaryReader br = new BinaryReader(fs);//创建BinaryReader对象,⽤于写⼊下⾯的byte数组 byte[] photo = tes((int));//新建byte数组,写⼊br中的数据 ();//记得要关闭br ();//还有fs string sql = "update Table1 set photo = @photo where ID = '0'"; SqlConnection conn = new SqlConnection(); tionString = "Data Source=.SQLExpress;Integrated Security=true;AttachDbFilename=|DataDirectory|;User Instance=true"; SqlCommand cmd = new SqlCommand(sql, conn); SqlParameter sp = new SqlParameter("@photo", photo); (sp); try { (); return (eNonQuery()); } catch (Exception) { return -1; throw; } finally { (); }}
public void ReadPhoto(string url) { string sql = "select photo from Table1 where ID = '0'"; SqlConnection conn = new SqlConnection(); tionString = "Data Source=.SQLExpress;Integrated Security=true;AttachDbFilename=|DataDirectory|;User Instance=true"; SqlCommand cmd = new SqlCommand(sql, conn); try { (); SqlDataReader reader = eReader();//采⽤SqlDataReader的⽅法来读取数据 if (()) { byte[] photo = reader[0] as byte[];//将第0列的数据写⼊byte数组 FileStream fs = new FileStream(url,New);创建FileStream对象,⽤于写⼊字节数据流 (photo,0,);//将byte数组中的数据写⼊fs ();//关闭fs } ();//关闭reader } catch (Exception ex) { throw; } finally { (); } }}以上就是本⽂的全部内容,希望对⼤家的学习有所帮助,也希望⼤家多多⽀持。
2023年6月21日发(作者:)
详解C#中SqlParameter的作⽤与⽤法⼀般来说,在更新DataTable或是DataSet时,如果不采⽤SqlParameter,那么当输⼊的Sql语句出现歧义时,如字符串中含有单引号,程序就会发⽣错误,并且他⼈可以轻易地通过拼接Sql语句来进⾏注⼊攻击。string sql = "update Table1 set name = 'Pudding' where ID = '1'";//未采⽤SqlParameterSqlConnection conn = new SqlConnection();tionString = "Data Source=.SQLExpress;Integrated Security=true;AttachDbFilename=|DataDirectory|;User Instance=true";//连接字符串与数据库有关SqlCommand cmd = new SqlCommand(sql, conn);try{ (); return(eNonQuery());}catch (Exception){ return -1; throw;}finally{ ();}上述代码未采⽤SqlParameter,除了存在安全性问题,该⽅法还⽆法解决⼆进制流的更新,如图⽚⽂件。通过使⽤SqlParameter可以解决上述问题,常见的使⽤⽅法有两种,Add⽅法和AddRange⽅法。⼀、Add⽅法SqlParameter sp = new SqlParameter("@name","Pudding");(sp);sp = new SqlParameter("@ID","1");(sp);该⽅法每次只能添加⼀个SqlParameter。上述代码的功能是将ID值等于1的字段name更新为Pudding(⼈名)。⼆、AddRange⽅法SqlParameter[] paras = new SqlParameter[] { new SqlParameter("@name","Pudding"),new SqlParameter("@ID","1") };ge(paras);显然,Add⽅法在添加多个SqlParameter时不⽅便,此时,可以采⽤AddRange⽅法。下⾯是通过SqlParameter向数据库存储及读取图⽚的代码。public int SavePhoto(string photourl){ FileStream fs = new FileStream(photourl, , );//创建FileStream对象,⽤于向BinaryReader写⼊字节数据流 BinaryReader br = new BinaryReader(fs);//创建BinaryReader对象,⽤于写⼊下⾯的byte数组 byte[] photo = tes((int));//新建byte数组,写⼊br中的数据 ();//记得要关闭br ();//还有fs string sql = "update Table1 set photo = @photo where ID = '0'"; SqlConnection conn = new SqlConnection(); tionString = "Data Source=.SQLExpress;Integrated Security=true;AttachDbFilename=|DataDirectory|;User Instance=true"; SqlCommand cmd = new SqlCommand(sql, conn); SqlParameter sp = new SqlParameter("@photo", photo); (sp); try { (); return (eNonQuery()); } catch (Exception) { return -1; throw; } finally { (); }}
public void ReadPhoto(string url) { string sql = "select photo from Table1 where ID = '0'"; SqlConnection conn = new SqlConnection(); tionString = "Data Source=.SQLExpress;Integrated Security=true;AttachDbFilename=|DataDirectory|;User Instance=true"; SqlCommand cmd = new SqlCommand(sql, conn); try { (); SqlDataReader reader = eReader();//采⽤SqlDataReader的⽅法来读取数据 if (()) { byte[] photo = reader[0] as byte[];//将第0列的数据写⼊byte数组 FileStream fs = new FileStream(url,New);创建FileStream对象,⽤于写⼊字节数据流 (photo,0,);//将byte数组中的数据写⼊fs ();//关闭fs } ();//关闭reader } catch (Exception ex) { throw; } finally { (); } }}以上就是本⽂的全部内容,希望对⼤家的学习有所帮助,也希望⼤家多多⽀持。
发布评论