防范方法二:存储过程
存储过程和参数化查询的作用是一样的,唯一的不同在于存储过程是预先定义并存放在数据库中,从而被应用程序调用的。
Java存储过程示例:
String custname = request.getParameter("customerName"); try { CallableStatement cs = connection.prepareCall("call sp_getAccountBalance(?)}"); cs.setString(1,custname); Result results = cs.executeQuery(); }catch(SQLException se){ //error handling } |
VB .Net存储过程示例:
Try Dim command As SqlCommand = new SqlCommand("sp_getAccountBalance",connection) command.CommandType = CommandType.StoredProcedure command.Parameters.Add(new SqlParameter("@CustomerName",CustomerName.Text)) Dim reader As SqlDataReader = command.ExecuteReader() ‘… Catch se As SqlException ‘error handling End Try |