我以前做过,但在这种情况下,我有一个insert into table查询,其中目标表的列的值来自另一个查询的结果。有了这个,我不确定我parametarized query的格式是否正确。
Sql Injection这是一个没有之前修复的原始查询:
cmd.CommandText += "insert into controlnumber (controlnumber, errorid)
values ('" + ControlNumber + "', (select errorid from error where
errordescription = '" + ErrorDescription + "' and errortype = '" +
ErrorType + "' + and applicationid = " + ApplicationID + " and statusid =
" + StatusID + " and userid = " + UserID + " and errortime = '" +
ErrorTime + "');";
这是我尝试修复后的查询Sql Injection:
cmd.CommandText = "insert into ControlTable(ControlNumber, ErrorID)
values (@ControlNum, (select errorid from error where errordescription =
@ErrorDescription and errortype = @errorType and applicationid =
@ApplicationID and statusid = @StatusID and userid = @UserID and
errortime = @ErrorTime)"
这是我添加参数的地方:
......
command.CommandType = CommandType.Text
command.Parameters.AddWithValue("@ErrorDescription ", ErrorDesc);
command.Parameters.AddWithValue("@ControlNum", cntNumber);
command.Parameters.AddWithValue("@errorType",ErrorType);
command.Parameters.AddWithValue("@ApplicationID",AppID);
command.Parameters.AddWithValue("@StatusID",StatusID);
command.Parameters.AddWithValue("@UserID",UserID);
....我只是想知道我CommandText的格式是否正确。
谢谢