C#对Oracle数据库的语句进行参数化

C#操作Oracle数据库,并对语句进行参数化,防止SQL注入

  select语句:

    

                    StringBuilder strSql = new StringBuilder();
                    strSql.Append("Select Count(*) From Member Where UserName=:username ");
                    OracleParameter[] parameters = new OracleParameter[1];
                    parameters[0] = new OracleParameter(":username", ASPxUserName.Text.Trim().ToUpper());
                    dt = dBase.ExecuteDataTables(strSql.ToString(), parameters);

    


 public DataTable  ExecuteDataTables(string sql, OracleParameter[] parameterList)  
    {   //查询语句的参数化  
        Connection();  
        DataTable dt = new DataTable();  
        using (OracleDataAdapter oda = new OracleDataAdapter(sql, conn))  
        {  
            oda.SelectCommand = GetCommand(sql, parameterList); 
	    oda.Fill(dt);  
        }  
        return dt;  
    }   
	
    public  OracleCommand GetCommand(string sql, OracleParameter[] oraPra)  
    {  
        OracleCommand oracmd = new OracleCommand(sql, conn);  
           
            if (null != oraPra)  
            {  
                foreach (var p in oraPra)  
                {  
                    oracmd.Parameters.Add(p);  
                 }  
            }  
          return oracmd;  
    }




你可能感兴趣的:(ASP.net,oracle)