MS SqlServer参数化
/// <summary>
/// 根据类别获得随机数据列表
/// </summary>
public DataSet GetList(int count, string pids, string sex)
{
StringBuilder strSql = new StringBuilder();
SqlParameter[] arrParam;
strSql.Append("select top " + @count + " * from products");
if (pids != string.Empty && pids != "0")
strSql.Append(" where producttype_id in( " + @pids + ")");
strSql.Append(" order by newid()");
arrParam = new SqlParameter[]
{
new SqlParameter("@count",count),
new SqlParameter("@pids",pids)
};
return SqlHelper.ExecuteDataset(CommandType.Text, strSql.ToString(), arrParam);
}
为了防止注入用参数化这样做和直接拼SQL有区别吗?能达到防止注入的效果么?SqlParameter到底做了些什么?