以下代码容易受到SQL注入攻击,我正在尝试更正以前开发人员的代码;他使用DataTable进一步使用查询 - 如何使用prepare语句和数据表?
string data = "";
int i = 1;
cmd = new SqlCommand("select * from maincategory where isactive=1 and id in (select catid from productmaster where isactive=1)", con);
con.Open();
DataTable dt = new DataTable();
dt.Load(cmd.ExecuteReader());
con.Close();
if (dt.Rows.Count > 0)
{
data += "<ul>";
foreach (DataRow DR in dt.Rows)
{
data += "<li><a href='product.aspx?cid="+DR["id"]+"'>" + DR["catname"] + "</a></li>";
}
data += " </ul>";
}
lblpartners.Text = data;
我试过的代码:
public void show()
{
string data = "";
int i = 1;
cmd = new SqlCommand("select * from maincategory where isactive=@val1 and id in (select catid from productmaster where isactive=@val2)", con);
con.Open();
cmd.Parameters.AddWithValue("@val1", 1);
cmd.Parameters.AddWithValue("@val2", 1);
DataTable dt = new DataTable();
dt.Load(cmd.Prepare());
con.Close();
if (dt.Rows.Count > 0)
{
data += "<ul>";
foreach (DataRow DR in dt.Rows)
{
data += "<li><a href='product.aspx?cid="+DR["id"]+"'>" + DR["catname"] + "</a></li>";
}
data += " </ul>";
}
lblpartners.Text = data;
}
SqlCommand.Prepare没有返回IDataReader,it's a void method。 DataReader.Load()需要一个IDataReader对象。
也许你的意思是dt.Load(cmd.ExecuteReader())?