向某个表中插入新行时,有两种方式,一种是相对低效的方式是动态构建SQL语句,也就是生成包含CommandText属性中所有必要信息的字符串。这不是推荐的最佳做法,有SQL注入攻击的风险。
更好的方法是使用命令参数的做法,命令参数在命令文本中是点位符,标记出将被替代的值的位置。在SQL Server中使用命名参数(named parameters),这些参数以@符号开始,后跟不带空格的参数名。如:INSERT INTO MyTable VALUES(@MyName,@MyNumber)
使用命令参数实例:
using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Data; using System.Data.SqlClient; namespace CommandParameters { class Program { static void Main(string[] args) { string fname = "tan"; string lname = "ding"; SqlConnection conn = new SqlConnection(@" server=.; integrated security=true; database = northwind"); string sqlqry = @"select count(*) from employees"; string sqlins = @"insert into employees(firstname,lastname) values(@fname,@lname)"; string sqldel = @"delete from employees where firstname=@fname and lastname=@lname"; SqlCommand cmdqry = new SqlCommand(sqlqry, conn); SqlCommand cmdnon = new SqlCommand(sqlins, conn); cmdnon.Prepare(); cmdnon.Parameters.Add("@fname", SqlDbType.NVarChar, 10); cmdnon.Parameters.Add("@lname", SqlDbType.NVarChar, 20); try { conn.Open(); Console.WriteLine("Before Insert:Number of employees {0}\n", cmdqry.ExecuteScalar()); cmdnon.Parameters["@fname"].Value = fname; cmdnon.Parameters["@lname"].Value = lname; Console.WriteLine("Executing statement {0}", cmdnon.CommandText); cmdnon.ExecuteNonQuery(); Console.WriteLine("After Insert:Number of employees {0}\n", cmdqry.ExecuteScalar()); cmdnon.CommandText = sqldel; Console.WriteLine("Executing statement {0}", cmdnon.CommandText); cmdnon.ExecuteNonQuery(); Console.WriteLine("After Delele:Number of employees {0}\n", cmdqry.ExecuteScalar()); } catch (SqlException ex) { Console.WriteLine(ex.ToString()); } finally { conn.Close(); Console.WriteLine("Connection Closed."); } Console.ReadKey(); } } }
说明:
将参数@fname和@lname添加到待参数化的命令对象的Parameters集合属性中:
cmdnon.Prepare();
cmdnon.Parameters.Add("@fname", SqlDbType.NVarChar, 10);
cmdnon.Parameters.Add("@lname", SqlDbType.NVarChar, 20);
SqlDbType枚举类型包含针对每一种SQL Server的数据类型的成员。
最后,在执行命令前需要设定参数值:
cmdnon.Parameters["@fname"].Value = fname;
cmdnon.Parameters["@lname"].Value = lname;