SQL参数化查询检测
SQL参数化查询的作用:
1. 防止SQL注入攻击:参数化查询可以确保用户输入的数据不会被解释为SQL代码,从而避免了SQL注入攻击。
2. 提高性能:参数化查询可以预先编译SQL语句,当需要执行相同的查询时,只需将参数传递给数据库,而不需要再次解析和编译SQL语句,从而提高了查询性能。
3. 可读性和可维护性:参数化查询可以使代码更易于阅读和维护,因为它将查询逻辑与数据访问逻辑分离,使得代码更加模块化。
解决方案:
可参照:
1. 单个SQL语句
string sql =”SELECT * FROM 表名 WHERE FID=@FID AND FDeveloper=@FDeveloper AND FCreatTime=@FCreatTime”;
var plist = new List<SqlParam>()
{
new SqlParam("@FID", KDDbType.Int64, fid),
new SqlParam("@FDeveloper", KDDbType.String, developer),
new SqlParam("@FCreatTime", KDDbType.DateTime, DateTime.Now),
};
DBUtils.Execute(ctx,sql, plist);
2. 多个SQL语句
List<SqlObject> listSqlObject = new List<SqlObject>();
List<long> groupUserIds = new List<long>();
groupUserIds.add(10000);
groupUserIds.add(10001);
for (int i = 0; i < groupUsers.Count; i++)
{
var groupUser = groupUsers[i];
string sqlTemp = @"insert into 表名(FID,FLicenseId,FBelongNumber,FKDPassportId,FUserName) values(@FID,@FLicenseId,@FBelongNumber,@FKDPassportId,@FUserName)";
var pListTemp = new List<SqlParam>()
{
new SqlParam("@FID",KDDbType.Int64, groupUserIds[i]),
new SqlParam("@FLicenseId",KDDbType.Int64, licenseId),
new SqlParam("@FBelongNumber",KDDbType.String, groupUser.BelongNumber.ToDBString()),
new SqlParam("@FKDPassportId",KDDbType.String, groupUser.KDPassportId.ToDBString()),
new SqlParam("@FUserName",KDDbType.String, groupUser.UserName.ToDBString())
};
listSqlObject.Add(new SqlObject(sqlTemp, pListTemp));
}
listSqlObject.Add(new SqlObject("update 表名 set FSyncState='C' where FID=@FID", new SqlParam("@FID", KDDbType.Int64, licenseId)));
using (var tran = new KDTransactionScope(System.Transactions.TransactionScopeOption.Required))
{
DBUtils.ExecuteBatch(ctx, listSqlObject);
tran.Complete();
}
SQL参数化查询检测
本文2024-09-23 03:57:33发表“云星空知识”栏目。
本文链接:https://wenku.my7c.com/article/kingdee-k3cloud-162196.html
