数据库参数化传递可以增强数据的安全性,但却会降低开发效率,为此创建了如下函数以解决这个问题:
public static string PrepareParameter(string sql, out SqlParameter[] cmdParms, params object[] args) { cmdParms = null; if (args != null && args.Length != 0) { string[] argNames = new string[args.Length]; cmdParms = new SqlParameter[args.Length]; string prefix = "arg"; for (int i = 0, c = args.Length; i < c; i++) { string ParameterName = prefix + i; cmdParms[i] = new SqlParameter(); cmdParms[i].ParameterName = ParameterName; cmdParms[i].Value = args[i]; argNames[i] = "@" + ParameterName; } sql = string.Format(sql, argNames); } return sql; }
使用方法如下:
