防范方法二:存储过程
存储过程和参数化查询的作用是一样的,唯一的不同在于存储过程是预先定义并存放在数据库中,从而被应用程序调用的。
Java存储过程示例:
String custname = request.getParameter("customerName");
try {
CallableStatement cs = connection.prepareCall("call sp_getAccountBalance(?)}");
cs.setString(1,custname);
Result results = cs.executeQuery();
}catch(SQLException se){
//error handling
}
VB .Net存储过程示例:
Try
Dim command As SqlCommand = new SqlCommand("sp_getAccountBalance",connection)
command.CommandType = CommandType.StoredProcedure
command.Parameters.Add(new SqlParameter("@CustomerName",CustomerName.Text))
Dim reader As SqlDataReader = command.ExecuteReader()
‘…
Catch se As SqlException
‘error handling
End Try