0

我尝试调用函数从数据库中选择数据,因为它会更有效,而且我不喜欢每次都打开连接并执行阅读器,有没有任何解决方案可以做到这一点?

这是我从数据库中选择数据的第一种方法,但会遇到 sql 注入问题

    protected void Button1_Click(object sender, EventArgs e)
    {
        Class1 myClass = new Class1();
        lblAns.Text = myClass.getdata("Table1", "Student", "Student = '" + TextBox1.Text + "'");           
    }


    public string getdata(string table,string field,string condition)
    {
        SqlDataReader rdr;
        SqlConnection conn = new SqlConnection(@"Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Database1.mdf;Integrated Security=True;User Instance=True");
        string sql = "select " + field + " from " + table + " where " + condition;

        try
        {
            conn.Open();
            SqlCommand cmd = new SqlCommand(sql, conn);
            rdr = cmd.ExecuteReader();
            while (rdr.Read())
            {
                return "true";
            }
        }
        catch (System.Data.SqlClient.SqlException ex)
        {
            string msg = "Insert Error:";
            msg += ex.Message;
        }
        finally
        {
            conn.Close();
        }
        return "false";
    }

这是我的第二种方法,但会在 (rdr = cmd.ExecuteReader();) 行出现错误(ExecuteReader 需要一个打开且可用的连接。连接的当前状态已关闭。)

     public string getdata(SqlCommand command,SqlConnection conn)
    {
        SqlDataReader rdr;
        try
        {
            conn.Open();
            SqlCommand cmd = new SqlCommand();
            cmd = command;
            rdr = cmd.ExecuteReader();
            while (rdr.Read())
            {
                return "true";
            }
        }
        catch (System.Data.SqlClient.SqlException ex)
        {
            string msg = "Select Error:";
            msg += ex.Message;
        }
        finally
        {
            conn.Close();
        }
        return "false";
    }

    public SqlConnection conn()
    {
        SqlConnection conn =  new SqlConnection(@"Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Database1.mdf;Integrated Security=True;User Instance=True");
        return conn;
    }

    protected void Button1_Click(object sender, EventArgs e)
    {
        Class1 myClass = new Class1();
        string strSql;

        strSql = "Select student from Table1 where student=@stu";
        SqlCommand command = new SqlCommand(strSql, myClass.conn());
        command.Parameters.AddWithValue("@stu", TextBox1.Text);
        myClass.getdata(command, myClass.conn());
    }

有解决方案可以使用第一种方法但不会遇到sql注入问题吗?

4

1 回答 1

3

始终使用第二种解决方案。避免 Sql Injection 的唯一方法是使用参数化查询。

还要修复第二个示例中的错误。您没有将连接与命令相关联,为连接保留全局对象也是一种不好的做法。在 ADO.NET 中存在连接池的概念,它避免了昂贵的连接打开/关闭,同时保持对这些对象的安全处理

public string getdata(SqlCommand command)
{
    // Using statement to be sure to dispose the connection
    using(SqlConnection conn = new SqlConnection(connectionString))
    {
       try
       {
            conn.Open();
            cmd.Connection = conn;
            SqlDataReader rdr = cmd.ExecuteReader();
            while (rdr.Read())
            {
                return "true";
            }
        }
        catch (System.Data.SqlClient.SqlException ex)
        {
             string msg = "Select Error:";
             msg += ex.Message;
             return msg;
        }
  }
  return "false";
}
于 2013-05-16T08:26:21.867 回答