asp.net 防注入式攻击

 网上有许多防SQL注入式攻击的方法。我使用将值用参数传入形式。相关代码如下：

 

   /// <summary>
   /// 执行参数
   /// </summary>
   /// <param name="asSql"> SQL语句</param>
   /// <param name="asPlList"> 参数列表</param>
     public   static   void  ExecuteDMLParameterSQL( string  asSql, sttSqlParameterList[] asPlList)
    {
        sConnectionString  =  ConfigurationManager.AppSettings.Get( " UserConnection " );
        OracleConnection ocConnection  =   new  OracleConnection(sConnectionString);
        ocConnection.Open();
        OracleCommand ocCommand  =  ocConnection.CreateCommand();
        ocCommand.CommandType  =  CommandType.Text;
        ocCommand.CommandText  =  asSql;
         for  ( int  i  =   0 ; i  <  asPlList.Length; i ++ )
        {
            OracleParameter opName  =   new  OracleParameter();
            opName.ParameterName  =  asPlList[i].Name;
             switch  (asPlList[i].Type)
            {
                 case   " string " :
                    opName.OracleType  =  OracleType.VarChar;
                     break ;
                 default :
                    opName.OracleType  =  OracleType.VarChar;
                     break ;
            }
            opName.Value  =  asPlList[i].Value;
            ocCommand.Parameters.Add(opName);
        } 
         int  iResult  =  ( int )ocCommand.ExecuteNonQuery();
        ocCommand.Dispose();
        ocConnection.Close();
        ocConnection.Dispose();
    }


     ///   <summary>
     ///  参数结构,用于执行参数语句
     ///   </summary>
     public   struct  sttSqlParameterList
    {
         private   string  sName;
         private   string  sType;
         private   string  sValue;

         ///   <summary>
         ///  构造函数(初始化值)
         ///   </summary>
         ///   <param name="asName">参数名</param>
         ///   <param name="asType">参数类型(暂时只针对string型的值)</param>
         ///   <param name="asValue">参数值</param>
         public  sttSqlParameterList( string  asName,  string  asType,  string  asValue)
        {
            sName  =  asName;
            sType  =  asType;
            sValue  =  asValue;
        }

         ///   <summary>
         ///  参数名(与SQL语句中的参数名相同,但不带:号)
         ///   </summary>
         public   string  Name
        {
             get
            {
                 return  sName;
            }
             set
            {
                sName  =  value;
            }
        }

         ///   <summary>
         ///  参数类型(本参数暂时只接受string型)
         ///   </summary>
         public   string  Type
        {
             get
            {               
                 return  sType;
            }
             set
            {
                sType  =  value;
            }
        }




         ///   <summary>
         ///  参数值,与参数类型对应
         ///   </summary>
         public   string  Value
        {
             get
            {
                 return  sValue;
            }
             set
            {
                sValue  =  value;
            }
        }
    }
  

 调用方法为：

  string  sSql  =   " update HP_REQUIREMENT  "
         +   "  set RqtGuage=16,RqtUpdateDate=to_date('{1}','yyyy.MM.dd'), "
         +   "  RqtCheckerID={2}, "
         +   "  RqtCheckerEmpID='{3}', "
         +   " RqtDevelopExplain=:CheckerExplain, "   // CheckerExplain为参数名，与参数列表中的Name相对应
         +   "  RqtAnalystHour={4}, "
         +   "  RqtDevelopWorkload={5}, "
         +   "  RqtTestHour={6}, "
         +   "  RqtTotoalHour={7} "
         +   "  where RqtID='{0}' " ;
        sSql  =   string .Format(sSql, sMainID, sUpdateDate, sCheckerID, sCheckerEmpID, sAnalystHour, sWorkLoad, sTestHour, sTotalHour);

        // 给参数赋值 (这里只有一个参数)
        sttSqlParameterList[] sptList  =   new sttSqlParameterList[ 1 ];
        sptList[ 0 ].Name  =   " CheckerExplain " ;
        sptList[ 0 ].Type  =   " string " ;
        sptList[ 0 ].Value  =  sCheckerExplain;
        clsHpDbManage.ExecuteDMLParameterSQL(sSql, sptList);