下面的代码容易受到SQL注入的影响,我正在尝试纠正以前开发人员的代码;他使用DataTable
进一步使用查询 - 如何使用准备语句和数据表?
string data = "";
int i = 1;
cmd = new SqlCommand("select * from maincategory where isactive=1 and id in (select catid from productmaster where isactive=1)", con);
con.Open();
DataTable dt = new DataTable();
dt.Load(cmd.ExecuteReader());
con.Close();
if (dt.Rows.Count > 0)
{
data += "<ul>";
foreach (DataRow DR in dt.Rows)
{
data += "<li><a href='product.aspx?cid="+DR["id"]+"'>" + DR["catname"] + "</a></li>";
}
data += " </ul>";
}
lblpartners.Text = data;
我尝试过的代码:
public void show()
{
string data = "";
int i = 1;
cmd = new SqlCommand("select * from maincategory where isactive=@val1 and id in (select catid from productmaster where isactive=@val2)", con);
con.Open();
cmd.Parameters.AddWithValue("@val1", 1);
cmd.Parameters.AddWithValue("@val2", 1);
DataTable dt = new DataTable();
dt.Load(cmd.Prepare());
con.Close();
if (dt.Rows.Count > 0)
{
data += "<ul>";
foreach (DataRow DR in dt.Rows)
{
data += "<li><a href='product.aspx?cid="+DR["id"]+"'>" + DR["catname"] + "</a></li>";
}
data += " </ul>";
}
lblpartners.Text = data;
}
SqlCommand.Prepare
不返回IDataReader,它是一个void方法。DataReader.Load()
需要一个IDataReader
对象。
也许你的意思是dt.Load(cmd.ExecuteReader())
?