通用权限管理系统底层的参数化查询方法如何使用

通用权限管理系统底层的数据访问方法支持参数化查询。

先前没有使用参数化查询的语句是这样的

            string conmmondText = " SELECT A.SITE_ID AID, A.SITE_NAME ANAME, B.SITE_ID BID, B.SITE_NAME BNAME"

                         + " FROM (SELECT 1 AS ID, SITE_NAME, SITE_ID"

                         + " FROM AREA_SUB"

                         + " WHERE AREA_ID = '{0}'"

                         + " AND DELETIONSTATECODE = 0) A"

                         + " LEFT JOIN (SELECT 1 AS ID, SITE_NAME, SITE_ID"

                         + " FROM AREA_SUB"

                         + " WHERE AREA_ID = '{1}'"

                         + " AND DELETIONSTATECODE = 0) B ON A.ID = B.ID";



            conmmondText= string.Format(conmmondText, array[0], array[1]);

            var dt = dbHelper.Fill(conmmondText);

 现数据库管理员要求SQL语句要使用参数化查询，改造后的语句

string conmmondText= " SELECT A.SITE_ID AID, A.SITE_NAME ANAME, B.SITE_ID BID, B.SITE_NAME BNAME"

                         + " FROM (SELECT 1 AS ID, SITE_NAME, SITE_ID"

                         + " FROM AREA_SUB"

                         + " WHERE AREA_ID = {0}"

                         + " AND DELETIONSTATECODE = 0) A"

                         + " LEFT JOIN (SELECT 1 AS ID, SITE_NAME, SITE_ID"

                         + " FROM AREA_SUB"

                         + " WHERE AREA_ID = {1}"

                         + " AND DELETIONSTATECODE = 0) B ON A.ID = B.ID";
　　　　　　　

commandText = string.Format(commandText, dbHelper.GetParameter("AREA_ID_0"), dbHelper.GetParameter("AREA_ID_1")); 

IDbDataParameter[] dbParameters = new IDbDataParameter[] { ztoQuotePriceManager.DbHelper.MakeParameter("AREA_ID_0", array[0]), ztoQuotePriceManager.DbHelper.MakeParameter("AREA_ID_1", array[1]) }; var dt = dbHelper.Fill(conmmondText, dbParameters);

这样改造后可以防止SQL注入。

另外一个改造的语句参考

            //List<AREA_SUBEntity> sendAreaSubList = areaSubManager.GetList<AREA_SUBEntity>(AREA_SUBEntity.FieldAREA_ID + "='" + ztoQuotePriceEntity.SEND_AREA_ID + "'");

            //List<AREA_SUBEntity> dispAreaSubList = areaSubManager.GetList<AREA_SUBEntity>(AREA_SUBEntity.FieldAREA_ID + "='" + ztoQuotePriceEntity.DISP_AREA_ID + "'");

            List<AREA_SUBEntity> sendAreaSubList = areaSubManager.GetList<AREA_SUBEntity>(new KeyValuePair<string, object>(AREA_SUBEntity.FieldAREA_ID, ztoQuotePriceEntity.SEND_AREA_ID));

            List<AREA_SUBEntity> dispAreaSubList = areaSubManager.GetList<AREA_SUBEntity>(new KeyValuePair<string, object>(AREA_SUBEntity.FieldAREA_ID, ztoQuotePriceEntity.DISP_AREA_ID));

 

        public int ResetMACAddress(string id)

        {

            int result = 0;

            string commandText = string.Empty;

            commandText = "DELETE baseparameter WHERE categorycode = 'MacAddress' AND PARAMETERID = " + DbHelper.GetParameter(BaseUserEntity.FieldId);

            List<IDbDataParameter> dbParameters = new List<IDbDataParameter>();

            dbParameters.Add(DbHelper.MakeParameter(BaseUserEntity.FieldId, id));

            result = this.DbHelper.ExecuteNonQuery(commandText, dbParameters.ToArray(), CommandType.Text);

            return result;

        }

 

            string sqlQuery = string.Empty;

            List<IDbDataParameter> dbParameters = new List<IDbDataParameter>();

            sqlQuery = "SELECT * "

                      + " FROM " + BaseUserEntity.TableName

                     + " WHERE " + " Id > 0 "

                             + " AND " + BaseUserEntity.FieldNickName + " = " + DbHelper.GetParameter(BaseUserEntity.FieldNickName)

                             + " AND " + BaseUserEntity.FieldDeletionStateCode + " = 0 ";

            dbParameters.Add(this.DbHelper.MakeParameter(BaseUserEntity.FieldNickName, nickName));

            var dt = this.DbHelper.Fill(sqlQuery, dbParameters.ToArray());

 

                        commandText = "INSERT INTO EXPRESSION_DELETED SELECT * FROM  EXPRESSION WHERE QUOTE_ID=" + k8DbHelper.GetParameter("QUOTE_ID") + ";DELETE FROM EXPRESSION WHERE QUOTE_ID=" + k8DbHelper.GetParameter("QUOTE_ID");

                        dbParameters.Clear();

                        dbParameters.Add(DbHelper.MakeParameter("QUOTE_ID", QuoteId));

                        k8DbHelper.ExecuteNonQuery(commandText, dbParameters.ToArray(), CommandType.Text);

 

 

                    string commandText = "SELECT ID,QUOTE_NAME FROM PRICE WHERE （SEND_AREA_ID={0} OR DISP_AREA_ID={1}） AND DELETIONSTATECODE=0 ";

                    commandText = string.Format(commandText, businessDbHelper.GetParameter("SEND_AREA_ID"), businessDbHelper.GetParameter("DISP_AREA_ID"));

                    IDbDataParameter[] dbParameters = new IDbDataParameter[]

                                                      {

                                                          businessDbHelper.MakeParameter("SEND_AREA_ID", EatxtAreaId), 

                                                          businessDbHelper.MakeParameter("DISP_AREA_ID", EatxtAreaId)

                                                      };

                    DataTable dt = businessDbHelper.Fill(commandText, dbParameters);

 

            string commandText = "SELECT ID FROM AREASUB WHERE  DELETIONSTATECODE=0 AND SITE_ID=0 AND （AREA_ID={0} OR AREA_ID={1}） ";

            commandText = string.Format(commandText, businessDbHelper.GetParameter("SEND_ID"), businessDbHelper.GetParameter("DISP_ID"));

            IDbDataParameter[] dbParameters = new IDbDataParameter[]

                                                      {

                                                          businessDbHelper.MakeParameter("SEND_ID", ztoQuotePriceEntity.SEND_AREA_ID), 

                                                          businessDbHelper.MakeParameter("DISP_ID", ztoQuotePriceEntity.DISP_AREA_ID)

                                                      };

            DataTable dt = businessDbHelper.Fill(commandText, dbParameters);

 //根据条件设置值

                                    List<KeyValuePair<string, object>> whereParameters = new List<KeyValuePair<string, object>>(); 

                                    whereParameters.Add(new KeyValuePair<string, object>(PRICEEntity.FieldSITE_ID, TargetSiteId));

                                    whereParameters.Add(new KeyValuePair<string, object>(PRICEEntity.FieldFEE_TYPE, TargetFeeType));

                                    //用属性来设置

                                    List<KeyValuePair<string, object>> parameters = new List<KeyValuePair<string, object>>();

                                    parameters.Add(new KeyValuePair<string, object>(PRICEEntity.FieldDeletionStateCode, 1));

                                    parameters.Add(new KeyValuePair<string, object>(PRICEEntity.FieldModifiedBy, UserInfo.RealName));

                                    parameters.Add(new KeyValuePair<string, object>(PRICEEntity.FieldModifiedOn, DateTime.Now));

                                    parameters.Add(new KeyValuePair<string, object>(PRICEEntity.FieldModifiedUserId, UserInfo.Id));

                                    parameters.Add(new KeyValuePair<string, object>(PRICEEntity.FieldMODIFIEDSITE, UserInfo.CompanyName));

                                    priceManager.SetProperty(whereParameters, parameters);

 

 //根据条件获取表中某行某个字段属性的值

                    List<KeyValuePair<string, object>> parameters = new List<KeyValuePair<string, object>>();

                    parameters.Add(new KeyValuePair<string, object>(BaseItemDetailsEntity.FieldItemCode, loginModel.SystemCode));

                    parameters.Add(new KeyValuePair<string, object>(BaseItemDetailsEntity.FieldEnabled, 1));

                    parameters.Add(new KeyValuePair<string, object>(BaseItemDetailsEntity.FieldDeletionStateCode, 0));

                    BaseManager manager = new BaseManager(dbHelper, UserInfo, "ItemsSystem");

                    response = manager.GetProperty(parameters, "LogonUrl");

 

建议大家在使用底层时，尽量使用带参数化查询的方法。