getdbnumbervalue

getdbnumbervalue

关注
发信
关注(28)粉丝(399)

我如何使用像getdbnumbervalue语句这样的代码作为参数?

本文介绍了我如何使用像getdbnumbervalue语句这样的代码作为参数?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

How can I use something like getdbnumbervalue statement as parameter like this code?



此语句(GetDBNumberValue)阻止sql注入我的老板说。但我会找到这样的东西并在我的项目中使用它



我尝试过:




This statement (GetDBNumberValue) prevents from sql injection my boss said. But Im going to find something like this and use it in my projects

What I have tried:

public bool UpdateInfo_ToDownloadQueueStatus(string strAutoID)
        {
            string strQuery = " UPDATE tb_NGD_ToDownloadQueue SET ";
            strQuery += " Status = 2 ";
            strQuery += ",";
            strQuery += " DownloadEnd = " + GetDbStringValue(DateTime.Now.ToString());
            strQuery += " WHERE AutoID = " + GetDbNumberValue(strAutoID);

            strQuery += " DECLARE @RowCount int; ";
            strQuery += " SELECT @RowCount = COUNT(*) FROM tb_NGD_ToDownloadQueue ";
            strQuery += " WHERE fk_DownloadRequestScales = ( SELECT TOP 1 fk_DownloadRequestScales FROM tb_NGD_ToDownloadQueue WHERE AutoID = " + GetDbNumberValue(strAutoID) + " ) AND [Status] = 1 ";

            strQuery += " IF @RowCount > 0 ";
            strQuery += " BEGIN ";
            strQuery += " UPDATE tb_NGD_DownloadRequestScales SET JobStatusID = 5 WHERE tb_NGD_DownloadRequestScales.AutoID = ( SELECT TOP 1 fk_DownloadRequestScales FROM tb_NGD_ToDownloadQueue WHERE AutoID = " + GetDbNumberValue(strAutoID) + " ) ";
            strQuery += " END ";
            strQuery += " ELSE ";
            strQuery += " BEGIN ";
            strQuery += " UPDATE tb_NGD_DownloadRequestScales SET JobStatusID = 2 WHERE tb_NGD_DownloadRequestScales.AutoID = ( SELECT TOP 1 fk_DownloadRequestScales FROM tb_NGD_ToDownloadQueue WHERE AutoID = " + GetDbNumberValue(strAutoID) + " ) ";
            strQuery += " END ";


            //strQuery += " UPDATE tb_NGD_DownloadRequestScales SET ";
            //strQuery += " JobStatusID = 2 ";
            //strQuery += " WHERE AutoID = ( SELECT TOP 1 fk_DownloadRequestScales FROM tb_NGD_ToDownloadQueue WHERE AutoID = " + GetDbNumberValue(strAutoID) + " ) ";

            if (!baseClass.MapInfo_NoRetValue(strQuery))
            {
                ErrMessage = baseClass.ErrMessage;
                return false;
            }

            return true;
        }

推荐答案

string strQuery = "UPDATE tb_NGD_ToDownloadQueue SET Status = 2, DownloadEnd = @DLE WHERE AutoID = @AID";
using (SqlCommand cmd = new SqlCommand(strQuery, con))
   {
   cmd.Parameters.AddWithValue("@DLE", DateTime.Now);
   cmd.Parameters.AddWithValue("@AID", strAutoID);
   ...
   }


这篇关于我如何使用像getdbnumbervalue语句这样的代码作为参数?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-19 02:18
Powered by LMLPHP ©2024 getdbnumbervalue 0.005015