sql 防注入插入

 1  var strsql = "insert into Staff_Answer (ExamTitleID,QuestionsID,MultipleChoice,RightOption,AnswerOption,IsRight,Score,StaffScore,Remark,State,Creator,CreatOrg,CreateTime) values";

 2             strsql += "(@ExamTitleID,@QuestionsID,@MultipleChoice,@RightOption,@AnswerOption,@IsRight,@Score,@StaffScore,@Remark,@State,@Creator,@CreatOrg,@CreateTime)";

 3             var cmd = new SqlCommand(strsql);

 4             var param = new SqlParameter[] { 

 5                                                 new SqlParameter("@ExamTitleID",SqlDbType.UniqueIdentifier),

 6                                                 new SqlParameter("@QuestionsID",SqlDbType.UniqueIdentifier),

 7                                                 new SqlParameter("@MultipleChoice",SqlDbType.NVarChar,2),

 8                                                 new SqlParameter("@RightOption",SqlDbType.NVarChar,200),

 9                                                 new SqlParameter("@AnswerOption",SqlDbType.NVarChar,200),

10                                                 new SqlParameter("@IsRight",SqlDbType.NVarChar,2),

11                                                 new SqlParameter("@Score",SqlDbType.Decimal,18),

12                                                 new SqlParameter("@StaffScore",SqlDbType.Decimal,18),

13                                                 new SqlParameter("@Remark",SqlDbType.Text),

14                                                 new SqlParameter("@State",SqlDbType.NVarChar,2),

15                                                 new SqlParameter("@Creator",SqlDbType.NVarChar,200),

16                                                 new SqlParameter("@CreatOrg",SqlDbType.NVarChar,200),

17                                                 new SqlParameter("@CreateTime",SqlDbType.NVarChar,200)

18                                             };

19 

20 

21             param[0].Value = new Guid(this.ExamTitleCode.Value);

22             param[1].Value = new Guid(QuestionsID);

23             param[2].Value = Anserdt.Rows[0]["MultipleChoice"].ToString();

24             param[3].Value = RightOption;

25             param[4].Value = AnswerOption;

26             param[5].Value = ISRight ? "1" : "0";

27             param[6].Value = Convert.ToInt32(Question.Rows[0]["Score"]);

28             param[7].Value = ISRight ? Convert.ToInt32(Question.Rows[0]["Score"]) : 0;

29             param[8].Value = this.Remark.InnerText;

30             param[9].Value = "1";

31             param[10].Value = userid;

32             param[11].Value = Orgname1;

33             param[12].Value = DateTime.Now;

34 

35             foreach (SqlParameter para in param)

36             {

37                 cmd.Parameters.Add(para);

38             }

39            helps.GetExecuteNonQueryBySqlPa(cmd);

40         }
View Code

感谢同事给我提供的内容

你可能感兴趣的:(sql)