动态sql防止sql注入的示例:
在对应的数据库中添加以下sql语句:
DECLARE @variable NVARCHAR(100)
DECLARE @SQLString NVARCHAR(1024)
DECLARE @ParmDefinition NVARCHAR(500)
SET @SQLString = N’SELECT OEV.Name, OEV.Position, Base_Employee.Address, OEV.Telephone, OEV.MobilePhone, OEV.Email, OEV.RealDepID
FROM Base_OrganizeEmployeeView AS OEV
JOIN Base_Employee
ON Base_Employee.Emp_ID = OEV.Emp_ID
WHERE (OEV.Account LIKE ”%” + @searchFilter + ”%” OR OEV.Name LIKE ”%” + @searchFilter + ”%” OR OEV.Position LIKE ”%” + @searchFilter + ”%” ) AND STATE = 1′
SET @parmDefinition = N’@searchFilter varchar(100)’
SET @variable = N’k’
EXECUTE sp_executesql @SQLString, @ParmDefinition, @searchFilter = @variable
