动态sql防止sql注入的示例:
在对应的数据库中添加以下sql语句:
DECLARE @variable NVARCHAR(100)
DECLARE @SQLString NVARCHAR(1024)
DECLARE @ParmDefinition NVARCHAR(500)
SET @SQLString = N'SELECT OEV.Name, OEV.Position, Base_Employee.Address, OEV.Telephone, OEV.MobilePhone, OEV.Email, OEV.RealDepID
FROM Base_OrganizeEmployeeView AS OEV
JOIN Base_Employee
ON Base_Employee.Emp_ID = OEV.Emp_ID
WHERE (OEV.Account LIKE ''%'' + @searchFilter + ''%'' OR OEV.Name LIKE ''%'' + @searchFilter + ''%'' OR OEV.Position LIKE ''%'' + @searchFilter + ''%'' ) AND STATE = 1'
SET @parmDefinition = N'@searchFilter varchar(100)'
SET @variable = N'k'
EXECUTE sp_executesql @SQLString, @ParmDefinition, @searchFilter = @variable
辰迅云「云服务器」,即开即用、新一代英特尔至强铂金CPU、三副本存储NVMe SSD云盘,价格低至29元/月。点击查看>>
推荐阅读: sql注入的参数是什么意思
云服务器
物理服务器
虚拟主机
跨境电商服务器