防止SQL注入-参数化SQL例代码asp.net

/// <summary> /// 更新一条数据 /// </summary> public void Update(Web.Model.T_Class model) { StringBuilder strSql = new StringBuilder(); strSql.Append("update T_sadfsd set "); strSql.Append("CName=@CName,"); strSql.Append("CFatherID=@CFatherID"); strSql.Append(" where CID=@CID "); SqlParameter[] parameters = { new SqlParameter("@CID", SqlDbType.Int,4), new SqlParameter("@CName", SqlDbType.NVarChar,50), new SqlParameter("@CFatherID", SqlDbType.Int,4)}; parameters[0].Value = model.CID; parameters[1].Value = model.CName; parameters[2].Value = model.CFatherID; DbHelperSQL.ExecuteSql(strSql.ToString(), parameters); }

=========================================================================================================================

string sql = "insert into S_Admin(UserName,Password,Remark,Mail,DepartId,Power)values(@UserName,@Password,@Remark,@Mail,@DepartId,@Power)";        SqlConnection connection = new SqlConnection();        connection.ConnectionString = "";//此处设置链接字符串        SqlCommand command = new SqlCommand(sql, connection);        command.Parameters.Add("@UserName",SqlDbType.NVarChar, 60).Value = userName;        command.Parameters.Add("@Password", SqlDbType.NVarChar, 60).Value = password;        command.Parameters.Add("@Remark", SqlDbType.NVarChar, 60).Value = remark;        command.Parameters.Add("@Mail", SqlDbType.NVarChar, 60).Value = mail;        command.Parameters.Add("@DepartId", SqlDbType.Int, 4).Value = departId;        command.Parameters.Add("@Power", SqlDbType.Int, 4).Value = power;        connection.Open();        int rowsAffected = command.ExecuteNonQuery();        connection.Close();        command.Dispose();        return rowsAffected > 0;
=========================================================================================================================

http://topic.csdn.net/u/20080521/09/dad3eaba-bfc7-483c-98cd-d310f9a76ff0.html?seed=596201967

http://topic.csdn.net/u/20081205/09/3dd06076-bcbe-45d4-998c-8999fdbe6fae.html