c#中使用sql防注入方式写入数据
try
{
if (this.textBoxTransparent2_3.Text == null || this.textBoxTransparent2_3.Text == "")
{
MessageBox.Show("MIS项目编号是必填项!"); this.textBoxTransparent2_3.Focus(); return;
}
else if (textBoxTransparent_path.Text == "" || textBoxTransparent_path.Text == null)
{
MessageBox.Show("选择将要写入数据的SW工程图!"); this.textBoxTransparent_path.Focus(); return;
}
else
{
#region 写入工程图
tableEight();
tableNine();
tableTen();
MessageBox.Show("写入工程图成功");
#endregion
string table9_orderNo = this.textBoxTransparent2_3.Text;
DateTime dateTime = DateTime.Now;
string creater = global.account;
#region table8
string table8_1 = this.textBoxTransparent_1.Text;
string table8_2 = this.textBoxTransparent_2.Text;
string table8_3 = this.textBoxTransparent_3.Text;
string table8_4 = this.textBoxTransparent_4.Text;
string table8_5 = this.textBoxTransparent_5.Text;
string table8_6 = this.textBoxTransparent_6.Text;
string table8_7 = this.textBoxTransparent_7.Text;
string table8_8 = this.textBoxTransparent_8.Text;
string table8_9 = this.textBoxTransparent_9.Text;
string table8_10 = this.textBoxTransparent_10.Text;
string table8_11 = this.textBoxTransparent_11.Text;
#endregion
#region table9
string table9_1 = this.textBoxTransparent2_1.Text;
string table9_2 = this.textBoxTransparent2_2.Text;
string table9_4 = this.textBoxTransparent2_4.Text;
string table9_5 = this.textBoxTransparent2_5.Text;
string table9_6 = this.textBoxTransparent2_6.Text;
string table9_7 = this.textBoxTransparent2_7.Text;
string table9_8 = this.textBoxTransparent2_8.Text;
string table9_9 = this.textBoxTransparent2_9.Text;
string table9_10 = this.textBoxTransparent2_10.Text;
string table9_11 = this.textBoxTransparent2_11.Text;
string table9_12 = this.textBoxTransparent2_12.Text;
string table9_13 = this.textBoxTransparent2_13.Text;
string table9_14 = this.textBoxTransparent2_14.Text;
string table9_15 = this.textBoxTransparent2_15.Text;
string table9_16 = this.textBoxTransparent2_16.Text;
string table9_17 = this.textBoxTransparent2_17.Text;
string table9_18 = this.textBoxTransparent2_18.Text;
string table9_19 = this.textBoxTransparent2_19.Text;
string table9_20 = this.textBoxTransparent2_20.Text;
string table9_21 = this.textBoxTransparent2_21.Text;
string table9_22 = this.textBoxTransparent2_22.Text;
string table9_23 = this.textBoxTransparent2_23.Text;
string table9_24 = this.textBoxTransparent2_24.Text;
string table9_25 = this.textBoxTransparent2_25.Text;
string table9_26 = this.textBoxTransparent2_26.Text;
#endregion
#region table10
string table10_1 = this.textBoxTransparent3_1.Text;
string table10_2 = this.textBoxTransparent3_2.Text;
string table10_3 = this.textBoxTransparent3_3.Text;
string table10_4 = this.textBoxTransparent3_4.Text;
string table10_5 = this.textBoxTransparent3_5.Text;
string table10_6 = this.textBoxTransparent3_6.Text;
string table10_7 = this.textBoxTransparent3_7.Text;
string table10_8 = this.textBoxTransparent3_8.Text;
string table10_9 = this.textBoxTransparent3_9.Text;
string table10_10 = this.textBoxTransparent3_10.Text;
string table10_11 = this.textBoxTransparent3_11.Text;
#endregion
// 调用ExecuteScalar方法的示例
string queryString = "select [table9_orderNo] FROM [dbo].[1swtabledata] where [table9_orderNo] = '" + table9_orderNo + "'"; // 这里是一个没有参数的SQL查询
object result = SqlhelperClass.sqlHelper.ExecuteScalar(queryString, CommandType.Text);
if (result == null) // 如果没有此序列号,则新增数据
{
//如果没有此唯一序列号,就插入新增
// 定义你的 SQL 插入语句
string insertSql = "insert into [dbo].[1swtabledata] ([table9_orderNo] ,[table8_1] ,[table8_2] ,[table8_3] ,[table8_4] ,[table8_5] ,[table8_6] ,[table8_7] ,[table8_8] ,[table8_9] ,[table8_10] ,[table8_11] ,[table9_1] ,[table9_2] ,[table9_4] ,[table9_5] ,[table9_6] ,[table9_7] ,[table9_8] ,[table9_9] ,[table9_10] ,[table9_11] ,[table9_12] ,[table9_13] ,[table9_14] ,[table9_15] ,[table9_16] ,[table9_17] ,[table9_18] ,[table9_19] ,[table9_20] ,[table9_21] ,[table9_22] ,[table9_23] ,[table9_24] ,[table9_25] ,[table9_26] ,[table10_1] ,[table10_2] ,[table10_3] ,[table10_4] ,[table10_5] ,[table10_6] ,[table10_7] ,[table10_8] ,[table10_9] ,[table10_10] ,[table10_11],[dateTime],[creater]) values (@table9_orderNo, @table8_1, @table8_2, @table8_3, @table8_4, @table8_5, @table8_6, @table8_7, @table8_8, @table8_9, @table8_10, @table8_11, @table9_1, @table9_2, @table9_4, @table9_5, @table9_6, @table9_7, @table9_8,@table9_9, @table9_10, @table9_11, @table9_12, @table9_13, @table9_14, @table9_15, @table9_16, @table9_17, @table9_18, @table9_19, @table9_20, @table9_21, @table9_22, @table9_23, @table9_24, @table9_25, @table9_26, @table10_1, @table10_2, @table10_3, @table10_4, @table10_5, @table10_6, @table10_7, @table10_8, @table10_9, @table10_10, @table10_11, @dateTime, @creater);";
//创建 SQL 参数数组
SqlParameter[] parameters2 = new SqlParameter[]
{
#region 防注入
new SqlParameter("@table9_orderNo", table9_orderNo),
new SqlParameter("@table8_1", table8_1),
new SqlParameter("@table8_2", table8_2),
new SqlParameter("@table8_3", table8_3),
new SqlParameter("@table8_4", table8_4),
new SqlParameter("@table8_5", table8_5),
new SqlParameter("@table8_6", table8_6),
new SqlParameter("@table8_7", table8_7),
new SqlParameter("@table8_8", table8_8),
new SqlParameter("@table8_9", table8_9),
new SqlParameter("@table8_10", table8_10),
new SqlParameter("@table8_11", table8_11),
new SqlParameter("@table9_1", table9_1),
new SqlParameter("@table9_2", table9_2),
new SqlParameter("@table9_4", table9_4),
new SqlParameter("@table9_5", table9_5),
new SqlParameter("@table9_6", table9_6),
new SqlParameter("@table9_7", table9_7),
new SqlParameter("@table9_8", table9_8),
new SqlParameter("@table9_9", table9_9),
new SqlParameter("@table9_10", table9_10),
new SqlParameter("@table9_11", table9_11),
new SqlParameter("@table9_12", table9_12),
new SqlParameter("@table9_13", table9_13),
new SqlParameter("@table9_14", table9_14),
new SqlParameter("@table9_15", table9_15),
new SqlParameter("@table9_16", table9_16),
new SqlParameter("@table9_17", table9_17),
new SqlParameter("@table9_18", table9_18),
new SqlParameter("@table9_19", table9_19),
new SqlParameter("@table9_20", table9_20),
new SqlParameter("@table9_21", table9_21),
new SqlParameter("@table9_22", table9_22),
new SqlParameter("@table9_23", table9_23),
new SqlParameter("@table9_24", table9_24),
new SqlParameter("@table9_25", table9_25),
new SqlParameter("@table9_26", table9_26),
new SqlParameter("@table10_1", table10_1),
new SqlParameter("@table10_2", table10_2),
new SqlParameter("@table10_3", table10_3),
new SqlParameter("@table10_4", table10_4),
new SqlParameter("@table10_5", table10_5),
new SqlParameter("@table10_6", table10_6),
new SqlParameter("@table10_7", table10_7),
new SqlParameter("@table10_8", table10_8),
new SqlParameter("@table10_9", table10_9),
new SqlParameter("@table10_10", table10_10),
new SqlParameter("@table10_11", table10_11),
new SqlParameter("@dateTime", dateTime),
new SqlParameter("@creater", creater)
#endregion
};
int result2 = SqlhelperClass.sqlHelper.ExecuteNonQuery(insertSql, CommandType.Text, parameters2);
MessageBox.Show("当前页面所有数据存档成功!");
}
else
{
string updateSql = "update [dbo].[1swtabledata] set [table8_1]=@table8_1, [table8_2]=@table8_2,[table8_3]=@table8_3,[table8_4]=@table8_4,[table8_5]=@table8_5,[table8_6]=@table8_6,[table8_7]=@table8_7,[table8_8]=@table8_8,[table8_9]=@table8_9,[table8_10]=@table8_10, [table8_11]=@table8_11,[table9_1]=@table9_1, [table9_2]=@table9_2,[table9_4]=@table9_4,[table9_5]=@table9_5,[table9_6]=@table9_6,[table9_7]=@table9_7,[table9_8]=@table9_8,[table9_9]=@table9_9,[table9_10]=@table9_10,[table9_11]=@table9_11,[table9_12]=@table9_12,[table9_13]=@table9_13,[table9_14]=@table9_14,[table9_15]=@table9_15,[table9_16]=@table9_16,[table9_17]=@table9_17,[table9_18]=@table9_18,[table9_19]=@table9_19,[table9_20]=@table9_20,[table9_21]=@table9_21,[table9_22]=@table9_22,[table9_23]=@table9_23,[table9_24]=@table9_24,[table9_25]=@table9_25,[table9_26]=@table9_26,[table10_1]=@table10_1,[table10_2]=@table10_2,[table10_3]=@table10_3,[table10_4]=@table10_4,[table10_5]=@table10_5,[table10_6]=@table10_6,[table10_7]=@table10_7,[table10_8]=@table10_8,[table10_9]=@table10_9,[table10_10]=@table10_10,[table10_11]=@table10_11,[dateTime]=@dateTime,[creater]=@creater where [table9_orderNo]=@table9_orderNo;";
//创建 SQL 参数数组
SqlParameter[] parameters2 = new SqlParameter[]
{
#region 防注入
new SqlParameter("@table9_orderNo", table9_orderNo),
new SqlParameter("@table8_1", table8_1),
new SqlParameter("@table8_2", table8_2),
new SqlParameter("@table8_3", table8_3),
new SqlParameter("@table8_4", table8_4),
new SqlParameter("@table8_5", table8_5),
new SqlParameter("@table8_6", table8_6),
new SqlParameter("@table8_7", table8_7),
new SqlParameter("@table8_8", table8_8),
new SqlParameter("@table8_9", table8_9),
new SqlParameter("@table8_10", table8_10),
new SqlParameter("@table8_11", table8_11),
new SqlParameter("@table9_1", table9_1),
new SqlParameter("@table9_2", table9_2),
new SqlParameter("@table9_4", table9_4),
new SqlParameter("@table9_5", table9_5),
new SqlParameter("@table9_6", table9_6),
new SqlParameter("@table9_7", table9_7),
new SqlParameter("@table9_8", table9_8),
new SqlParameter("@table9_9", table9_9),
new SqlParameter("@table9_10", table9_10),
new SqlParameter("@table9_11", table9_11),
new SqlParameter("@table9_12", table9_12),
new SqlParameter("@table9_13", table9_13),
new SqlParameter("@table9_14", table9_14),
new SqlParameter("@table9_15", table9_15),
new SqlParameter("@table9_16", table9_16),
new SqlParameter("@table9_17", table9_17),
new SqlParameter("@table9_18", table9_18),
new SqlParameter("@table9_19", table9_19),
new SqlParameter("@table9_20", table9_20),
new SqlParameter("@table9_21", table9_21),
new SqlParameter("@table9_22", table9_22),
new SqlParameter("@table9_23", table9_23),
new SqlParameter("@table9_24", table9_24),
new SqlParameter("@table9_25", table9_25),
new SqlParameter("@table9_26", table9_26),
new SqlParameter("@table10_1", table10_1),
new SqlParameter("@table10_2", table10_2),
new SqlParameter("@table10_3", table10_3),
new SqlParameter("@table10_4", table10_4),
new SqlParameter("@table10_5", table10_5),
new SqlParameter("@table10_6", table10_6),
new SqlParameter("@table10_7", table10_7),
new SqlParameter("@table10_8", table10_8),
new SqlParameter("@table10_9", table10_9),
new SqlParameter("@table10_10", table10_10),
new SqlParameter("@table10_11", table10_11),
new SqlParameter("@dateTime", dateTime),
new SqlParameter("@creater", creater)
#endregion
};
int result2 = SqlhelperClass.sqlHelper.ExecuteNonQuery(updateSql, CommandType.Text, parameters2);
MessageBox.Show("当前页面所有数据更新成功!");
}
}
#region 赋值给截面下拉清单
// 调用ExecuteScalar方法的示例
string queryString2 = "select ROW_NUMBER() OVER (ORDER BY [table9_orderNo]) AS ID, [table9_orderNo] from [dbo].[1swtabledata]"; // 这里是一个没有参数的SQL查询
DataTable result3 = SqlhelperClass.sqlHelper.ExecuteDataTable(queryString2, CommandType.Text);
// 遍历DataTable的每一行
List<KeyValuePair<string, string>> lstCom = new List<KeyValuePair<string, string>>();
foreach (DataRow row in result3.Rows)
{
// 假设第一列是Key,第二列是Value
string key = row["ID"].ToString();
string value = row["table9_orderNo"].ToString();
// 创建KeyValuePair并添加到列表中
lstCom.Add(new KeyValuePair<string, string>(key, value));
}
this.ucCombox_type.Source = lstCom;
#endregion
}
catch (Exception ex)
{
Serilog.Log.Error(ex.Message);
MessageBox.Show(ex.Message + "-请确认SolidWorks软件是否已经正常打开");
}