一般來(lái)說(shuō)�,在更新DataTable或是DataSet時(shí)�����,如果不采用SqlParameter�,那么當(dāng)輸入的Sql語(yǔ)句出現(xiàn)歧義時(shí)�����,如字符串中含有單引號(hào)��,程序就會(huì)發(fā)生錯(cuò)誤,并且他人可以輕易地通過(guò)拼接Sql語(yǔ)句來(lái)進(jìn)行注入攻擊���。
string sql = "update Table1 set name = 'Pudding' where ID = '1'";//未采用SqlParameterSqlConnection conn = new SqlConnection();conn.ConnectionString = "Data Source=.//SQLExpress;Integrated Security=true;AttachDbFilename=|DataDirectory|//Database.mdf;User Instance=true";//連接字符串與數(shù)據(jù)庫(kù)有關(guān)SqlCommand cmd = new SqlCommand(sql, conn);try{ conn.Open(); return(cmd.ExecuteNonQuery());}catch (Exception){ return -1; throw;}finally{ conn.Close();}上述代碼未采用SqlParameter,除了存在安全性問(wèn)題����,該方法還無(wú)法解決二進(jìn)制流的更新����,如圖片文件�。通過(guò)使用SqlParameter可以解決上述問(wèn)題,常見(jiàn)的使用方法有兩種�����,Add方法和AddRange方法����。
一、Add方法
SqlParameter sp = new SqlParameter("@name","Pudding");cmd.Parameters.Add(sp);sp = new SqlParameter("@ID","1");cmd.Parameters.Add(sp);該方法每次只能添加一個(gè)SqlParameter��。上述代碼的功能是將ID值等于1的字段name更新為Pudding(人名)���。
二�����、AddRange方法
SqlParameter[] paras = new SqlParameter[] { new SqlParameter("@name","Pudding"),new SqlParameter("@ID","1") };cmd.Parameters.AddRange(paras);顯然,Add方法在添加多個(gè)SqlParameter時(shí)不方便,此時(shí),可以采用AddRange方法�。
下面是通過(guò)SqlParameter向數(shù)據(jù)庫(kù)存儲(chǔ)及讀取圖片的代碼��。
public int SavePhoto(string photourl){ FileStream fs = new FileStream(photourl, FileMode.Open, FileAccess.Read);//創(chuàng)建FileStream對(duì)象,用于向BinaryReader寫(xiě)入字節(jié)數(shù)據(jù)流 BinaryReader br = new BinaryReader(fs);//創(chuàng)建BinaryReader對(duì)象,用于寫(xiě)入下面的byte數(shù)組 byte[] photo = br.ReadBytes((int)fs.Length);//新建byte數(shù)組�,寫(xiě)入br中的數(shù)據(jù) br.Close();//記得要關(guān)閉br fs.Close();//還有fs string sql = "update Table1 set photo = @photo where ID = '0'"; SqlConnection conn = new SqlConnection(); conn.ConnectionString = "Data Source=.//SQLExpress;Integrated Security=true;AttachDbFilename=|DataDirectory|//Database.mdf;User Instance=true"; SqlCommand cmd = new SqlCommand(sql, conn); SqlParameter sp = new SqlParameter("@photo", photo); cmd.Parameters.Add(sp); try { conn.Open(); return (cmd.ExecuteNonQuery()); } catch (Exception) { return -1; throw; } finally { conn.Close(); }} public void ReadPhoto(string url) { string sql = "select photo from Table1 where ID = '0'"; SqlConnection conn = new SqlConnection(); conn.ConnectionString = "Data Source=.//SQLExpress;Integrated Security=true;AttachDbFilename=|DataDirectory|//Database.mdf;User Instance=true"; SqlCommand cmd = new SqlCommand(sql, conn); try { conn.Open(); SqlDataReader reader = cmd.ExecuteReader();//采用SqlDataReader的方法來(lái)讀取數(shù)據(jù) if (reader.Read()) { byte[] photo = reader[0] as byte[];//將第0列的數(shù)據(jù)寫(xiě)入byte數(shù)組 FileStream fs = new FileStream(url,FileMode.CreateNew);創(chuàng)建FileStream對(duì)象�,用于寫(xiě)入字節(jié)數(shù)據(jù)流 fs.Write(photo,0,photo.Length);//將byte數(shù)組中的數(shù)據(jù)寫(xiě)入fs fs.Close();//關(guān)閉fs } reader.Close();//關(guān)閉reader } catch (Exception ex) { throw; } finally { conn.Close(); } }}以上就是本文的全部?jī)?nèi)容����,希望對(duì)大家的學(xué)習(xí)有所幫助,也希望大家多多支持武林網(wǎng)。
