c#中使用sql防注入方式写入数据

try

{

if (this.textBoxTransparent2_3.Text == null || this.textBoxTransparent2_3.Text == "")

{

MessageBox.Show("MIS项目编号是必填项！"); this.textBoxTransparent2_3.Focus(); return;

}

else if (textBoxTransparent_path.Text == "" || textBoxTransparent_path.Text == null)

{

MessageBox.Show("选择将要写入数据的SW工程图！"); this.textBoxTransparent_path.Focus(); return;

}

else

{

#region 写入工程图

tableEight();

tableNine();

tableTen();

MessageBox.Show("写入工程图成功");

#endregion

string table9_orderNo = this.textBoxTransparent2_3.Text;

DateTime dateTime = DateTime.Now;

string creater = global.account;

#region table8

string table8_1 = this.textBoxTransparent_1.Text;

string table8_2 = this.textBoxTransparent_2.Text;

string table8_3 = this.textBoxTransparent_3.Text;

string table8_4 = this.textBoxTransparent_4.Text;

string table8_5 = this.textBoxTransparent_5.Text;

string table8_6 = this.textBoxTransparent_6.Text;

string table8_7 = this.textBoxTransparent_7.Text;

string table8_8 = this.textBoxTransparent_8.Text;

string table8_9 = this.textBoxTransparent_9.Text;

string table8_10 = this.textBoxTransparent_10.Text;

string table8_11 = this.textBoxTransparent_11.Text;

#endregion

#region table9

string table9_1 = this.textBoxTransparent2_1.Text;

string table9_2 = this.textBoxTransparent2_2.Text;

string table9_4 = this.textBoxTransparent2_4.Text;

string table9_5 = this.textBoxTransparent2_5.Text;

string table9_6 = this.textBoxTransparent2_6.Text;

string table9_7 = this.textBoxTransparent2_7.Text;

string table9_8 = this.textBoxTransparent2_8.Text;

string table9_9 = this.textBoxTransparent2_9.Text;

string table9_10 = this.textBoxTransparent2_10.Text;

string table9_11 = this.textBoxTransparent2_11.Text;

string table9_12 = this.textBoxTransparent2_12.Text;

string table9_13 = this.textBoxTransparent2_13.Text;

string table9_14 = this.textBoxTransparent2_14.Text;

string table9_15 = this.textBoxTransparent2_15.Text;

string table9_16 = this.textBoxTransparent2_16.Text;

string table9_17 = this.textBoxTransparent2_17.Text;

string table9_18 = this.textBoxTransparent2_18.Text;

string table9_19 = this.textBoxTransparent2_19.Text;

string table9_20 = this.textBoxTransparent2_20.Text;

string table9_21 = this.textBoxTransparent2_21.Text;

string table9_22 = this.textBoxTransparent2_22.Text;

string table9_23 = this.textBoxTransparent2_23.Text;

string table9_24 = this.textBoxTransparent2_24.Text;

string table9_25 = this.textBoxTransparent2_25.Text;

string table9_26 = this.textBoxTransparent2_26.Text;

#endregion

#region table10

string table10_1 = this.textBoxTransparent3_1.Text;

string table10_2 = this.textBoxTransparent3_2.Text;

string table10_3 = this.textBoxTransparent3_3.Text;

string table10_4 = this.textBoxTransparent3_4.Text;

string table10_5 = this.textBoxTransparent3_5.Text;

string table10_6 = this.textBoxTransparent3_6.Text;

string table10_7 = this.textBoxTransparent3_7.Text;

string table10_8 = this.textBoxTransparent3_8.Text;

string table10_9 = this.textBoxTransparent3_9.Text;

string table10_10 = this.textBoxTransparent3_10.Text;

string table10_11 = this.textBoxTransparent3_11.Text;

#endregion

// 调用ExecuteScalar方法的示例

string queryString = "select $table9_orderNo$ FROM $dbo$ . $1swtabledata$ where $table9_orderNo$ = '" + table9_orderNo + "'"; // 这里是一个没有参数的SQL查询

object result = SqlhelperClass.sqlHelper.ExecuteScalar(queryString, CommandType.Text);

if (result == null) // 如果没有此序列号，则新增数据

{

//如果没有此唯一序列号，就插入新增

// 定义你的 SQL 插入语句

string insertSql = "insert into $dbo$ . $1swtabledata$ ( $table9_orderNo$ , $table8_1$ , $table8_2$ , $table8_3$ , $table8_4$ , $table8_5$ , $table8_6$ , $table8_7$ , $table8_8$ , $table8_9$ , $table8_10$ , $table8_11$ , $table9_1$ , $table9_2$ , $table9_4$ , $table9_5$ , $table9_6$ , $table9_7$ , $table9_8$ , $table9_9$ , $table9_10$ , $table9_11$ , $table9_12$ , $table9_13$ , $table9_14$ , $table9_15$ , $table9_16$ , $table9_17$ , $table9_18$ , $table9_19$ , $table9_20$ , $table9_21$ , $table9_22$ , $table9_23$ , $table9_24$ , $table9_25$ , $table9_26$ , $table10_1$ , $table10_2$ , $table10_3$ , $table10_4$ , $table10_5$ , $table10_6$ , $table10_7$ , $table10_8$ , $table10_9$ , $table10_10$ , $table10_11$ , $dateTime$ , $creater$ ) values (@table9_orderNo, @table8_1, @table8_2, @table8_3, @table8_4, @table8_5, @table8_6, @table8_7, @table8_8, @table8_9, @table8_10, @table8_11, @table9_1, @table9_2, @table9_4, @table9_5, @table9_6, @table9_7, @table9_8,@table9_9, @table9_10, @table9_11, @table9_12, @table9_13, @table9_14, @table9_15, @table9_16, @table9_17, @table9_18, @table9_19, @table9_20, @table9_21, @table9_22, @table9_23, @table9_24, @table9_25, @table9_26, @table10_1, @table10_2, @table10_3, @table10_4, @table10_5, @table10_6, @table10_7, @table10_8, @table10_9, @table10_10, @table10_11, @dateTime, @creater);";

//创建 SQL 参数数组

SqlParameter\[\] parameters2 = new SqlParameter\[\]

{

#region 防注入

new SqlParameter("@table9_orderNo", table9_orderNo),

new SqlParameter("@table8_1", table8_1),

new SqlParameter("@table8_2", table8_2),

new SqlParameter("@table8_3", table8_3),

new SqlParameter("@table8_4", table8_4),

new SqlParameter("@table8_5", table8_5),

new SqlParameter("@table8_6", table8_6),

new SqlParameter("@table8_7", table8_7),

new SqlParameter("@table8_8", table8_8),

new SqlParameter("@table8_9", table8_9),

new SqlParameter("@table8_10", table8_10),

new SqlParameter("@table8_11", table8_11),

new SqlParameter("@table9_1", table9_1),

new SqlParameter("@table9_2", table9_2),

new SqlParameter("@table9_4", table9_4),

new SqlParameter("@table9_5", table9_5),

new SqlParameter("@table9_6", table9_6),

new SqlParameter("@table9_7", table9_7),

new SqlParameter("@table9_8", table9_8),

new SqlParameter("@table9_9", table9_9),

new SqlParameter("@table9_10", table9_10),

new SqlParameter("@table9_11", table9_11),

new SqlParameter("@table9_12", table9_12),

new SqlParameter("@table9_13", table9_13),

new SqlParameter("@table9_14", table9_14),

new SqlParameter("@table9_15", table9_15),

new SqlParameter("@table9_16", table9_16),

new SqlParameter("@table9_17", table9_17),

new SqlParameter("@table9_18", table9_18),

new SqlParameter("@table9_19", table9_19),

new SqlParameter("@table9_20", table9_20),

new SqlParameter("@table9_21", table9_21),

new SqlParameter("@table9_22", table9_22),

new SqlParameter("@table9_23", table9_23),

new SqlParameter("@table9_24", table9_24),

new SqlParameter("@table9_25", table9_25),

new SqlParameter("@table9_26", table9_26),

new SqlParameter("@table10_1", table10_1),

new SqlParameter("@table10_2", table10_2),

new SqlParameter("@table10_3", table10_3),

new SqlParameter("@table10_4", table10_4),

new SqlParameter("@table10_5", table10_5),

new SqlParameter("@table10_6", table10_6),

new SqlParameter("@table10_7", table10_7),

new SqlParameter("@table10_8", table10_8),

new SqlParameter("@table10_9", table10_9),

new SqlParameter("@table10_10", table10_10),

new SqlParameter("@table10_11", table10_11),

new SqlParameter("@dateTime", dateTime),

new SqlParameter("@creater", creater)

#endregion

};

int result2 = SqlhelperClass.sqlHelper.ExecuteNonQuery(insertSql, CommandType.Text, parameters2);

MessageBox.Show("当前页面所有数据存档成功！");

}

else

{

string updateSql = "update $dbo$ . $1swtabledata$ set $table8_1$ =@table8_1, $table8_2$ =@table8_2, $table8_3$ =@table8_3, $table8_4$ =@table8_4, $table8_5$ =@table8_5, $table8_6$ =@table8_6, $table8_7$ =@table8_7, $table8_8$ =@table8_8, $table8_9$ =@table8_9, $table8_10$ =@table8_10, $table8_11$ =@table8_11, $table9_1$ =@table9_1, $table9_2$ =@table9_2, $table9_4$ =@table9_4, $table9_5$ =@table9_5, $table9_6$ =@table9_6, $table9_7$ =@table9_7, $table9_8$ =@table9_8, $table9_9$ =@table9_9, $table9_10$ =@table9_10, $table9_11$ =@table9_11, $table9_12$ =@table9_12, $table9_13$ =@table9_13, $table9_14$ =@table9_14, $table9_15$ =@table9_15, $table9_16$ =@table9_16, $table9_17$ =@table9_17, $table9_18$ =@table9_18, $table9_19$ =@table9_19, $table9_20$ =@table9_20, $table9_21$ =@table9_21, $table9_22$ =@table9_22, $table9_23$ =@table9_23, $table9_24$ =@table9_24, $table9_25$ =@table9_25, $table9_26$ =@table9_26, $table10_1$ =@table10_1, $table10_2$ =@table10_2, $table10_3$ =@table10_3, $table10_4$ =@table10_4, $table10_5$ =@table10_5, $table10_6$ =@table10_6, $table10_7$ =@table10_7, $table10_8$ =@table10_8, $table10_9$ =@table10_9, $table10_10$ =@table10_10, $table10_11$ =@table10_11, $dateTime$ =@dateTime, $creater$ =@creater where $table9_orderNo$ =@table9_orderNo;";

//创建 SQL 参数数组

SqlParameter\[\] parameters2 = new SqlParameter\[\]

{

#region 防注入

new SqlParameter("@table9_orderNo", table9_orderNo),

new SqlParameter("@table8_1", table8_1),

new SqlParameter("@table8_2", table8_2),

new SqlParameter("@table8_3", table8_3),

new SqlParameter("@table8_4", table8_4),

new SqlParameter("@table8_5", table8_5),

new SqlParameter("@table8_6", table8_6),

new SqlParameter("@table8_7", table8_7),

new SqlParameter("@table8_8", table8_8),

new SqlParameter("@table8_9", table8_9),

new SqlParameter("@table8_10", table8_10),

new SqlParameter("@table8_11", table8_11),

new SqlParameter("@table9_1", table9_1),

new SqlParameter("@table9_2", table9_2),

new SqlParameter("@table9_4", table9_4),

new SqlParameter("@table9_5", table9_5),

new SqlParameter("@table9_6", table9_6),

new SqlParameter("@table9_7", table9_7),

new SqlParameter("@table9_8", table9_8),

new SqlParameter("@table9_9", table9_9),

new SqlParameter("@table9_10", table9_10),

new SqlParameter("@table9_11", table9_11),

new SqlParameter("@table9_12", table9_12),

new SqlParameter("@table9_13", table9_13),

new SqlParameter("@table9_14", table9_14),

new SqlParameter("@table9_15", table9_15),

new SqlParameter("@table9_16", table9_16),

new SqlParameter("@table9_17", table9_17),

new SqlParameter("@table9_18", table9_18),

new SqlParameter("@table9_19", table9_19),

new SqlParameter("@table9_20", table9_20),

new SqlParameter("@table9_21", table9_21),

new SqlParameter("@table9_22", table9_22),

new SqlParameter("@table9_23", table9_23),

new SqlParameter("@table9_24", table9_24),

new SqlParameter("@table9_25", table9_25),

new SqlParameter("@table9_26", table9_26),

new SqlParameter("@table10_1", table10_1),

new SqlParameter("@table10_2", table10_2),

new SqlParameter("@table10_3", table10_3),

new SqlParameter("@table10_4", table10_4),

new SqlParameter("@table10_5", table10_5),

new SqlParameter("@table10_6", table10_6),

new SqlParameter("@table10_7", table10_7),

new SqlParameter("@table10_8", table10_8),

new SqlParameter("@table10_9", table10_9),

new SqlParameter("@table10_10", table10_10),

new SqlParameter("@table10_11", table10_11),

new SqlParameter("@dateTime", dateTime),

new SqlParameter("@creater", creater)

#endregion

};

int result2 = SqlhelperClass.sqlHelper.ExecuteNonQuery(updateSql, CommandType.Text, parameters2);

MessageBox.Show("当前页面所有数据更新成功！");

}

#region 赋值给截面下拉清单

// 调用ExecuteScalar方法的示例

string queryString2 = "select ROW_NUMBER() OVER (ORDER BY $table9_orderNo$ ) AS ID, $table9_orderNo$ from $dbo$ . $1swtabledata$ "; // 这里是一个没有参数的SQL查询

DataTable result3 = SqlhelperClass.sqlHelper.ExecuteDataTable(queryString2, CommandType.Text);

// 遍历DataTable的每一行

List<KeyValuePair<string, string>> lstCom = new List<KeyValuePair<string, string>>();

foreach (DataRow row in result3.Rows)

{

// 假设第一列是Key，第二列是Value

string key = row $"ID"$ .ToString();

string value = row $"table9_orderNo"$ .ToString();

// 创建KeyValuePair并添加到列表中

lstCom.Add(new KeyValuePair<string, string>(key, value));

}

this.ucCombox_type.Source = lstCom;

#endregion

}

catch (Exception ex)

{

Serilog.Log.Error(ex.Message);

MessageBox.Show(ex.Message + "-请确认SolidWorks软件是否已经正常打开");

}