.net在Oracle数据库中为In条件查询防止sql注入参数化处理

//返回in条件处理方法

public static string InsertParameters(ref List<OracleParameter> orclParameters, int[] lsIds, string uniqueParName)

{

string strParametros = string.Empty;

for (int i = 0; i <= lsIds.Length - 1; i++)

{

strParametros += i == 0 ? ":" + uniqueParName + i : ", :" + uniqueParName + i;

OracleParameter param = new OracleParameter(uniqueParName + i.ToString(), OracleType.Number);

param.Value = lsIds[i];

orclParameters.Add(param);

}

return strParametros;

}

//代码调用使用

List<OracleParameter> parameterList = new List<OracleParameter>();

string[] strArray = state.Split(new char[] { ',' });

int[] intArray;

intArray = Array.ConvertAll<string, int>(strArray, s => int.Parse(s));//字符串数组转化为int数组

string idStr = DBOperator.InsertParameters(ref parameterList, intArray, "id");

//string www = "("+state+")";

strWhere += " and q.state in(idStr))";

for (int i = 0; i < idStr.Split(',').Length;i++ )

{

DBOperator.SPWrite.MakeInParam(idStr.Split(',')[i], DbType.Int32, -1, intArray[i]);

}