在公共函数中传递参数化查询。 [英] Pass parameterized query in a public function.
本文介绍了在公共函数中传递参数化查询。的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
防止SQL注入我想在我们的代码中使用参数化查询,但有些查询传递了一个公共函数,所以我们如何在公共函数中找到参数值。
在下面的代码中,我们为不同的函数调用传递不同的参数,所以通过使用参数化查询我们如何做到这一点。
谢谢。
我尝试了什么:
Prevent SQL injection i want to use parameterized query in our code, But Some query pass a public function so how we can find parameters value in public function.
In the below code, we pass different parameter for different function call so by using parameterized query how we can to this.
Thanks.
What I have tried:
Public Function GetDefaultListID(ByVal UnitId As String, ByVal RegionID As Integer) As String
Dim DiameterID As String
Dim sqlString As String = "Select Top 1 ListID from List where UnitId='" & UnitId & "' And RegionID=" & RegionID & ""
DiameterID = GetSingleData(sqlString)
Return DiameterID
End Function
Public Function GetListName(ByVal ListID As String) As String
Dim UnitName As String
Dim sqlString As String = "Select ListName from List where ListID='" & ListID & "'"
UnitName = GetSingleData(sqlString)
Return UnitName
End Function
public Function GetSingleData(ByVal sqlString As String) As String
oSqlCommand = New SqlCommand(sqlString, oSqlConn)
Dim RetVal As Object = oSqlCommand.ExecuteScalar
If RetVal Is Nothing Or Convert.IsDBNull(RetVal) Then
Return String.Empty
Else
Return RetVal.ToString
End If
End Function
推荐答案
删除对方法的调用并在本地实现参数化查询,或者设置接受SQL命令字符串及其所需参数的方法。
当你完成它们时,你应该处理你的SqlCommand对象,以及SqlDataReaders和SqlConnections。如果不这样,它们将一直存在,直到应用程序结束或需要GC。
Either remove the call to the method and implement parameterised queries locally, or set up method(s) which accept the SQL command string and the parameters it needs.
And you should be Disposing your SqlCommand objects when you are finished with them, as well as SqlDataReaders, and SqlConnections. If you don't they remain in existence until the app ends or the GC is required.
这篇关于在公共函数中传递参数化查询。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
