1、参数化查询方法：usingSystem.Data.SqlClient;//引入命名空间publicpartialclass_Default:System.Web.UI.Page{protectedvoidPage_Load(objectsender,EventArgse){}protectedvoidimgBtnLogin_Click(objectsender,ImageClickEventArgse){if(txtUserID.Text!=""){inti=checkLogin(txtUserID.Text,txtPwd.Text);if(i>0){Response.Write("");}else{lblMessage.Text="用户名不存在！";}}else{lblMessage.Text="用户名不能为空！";lblMessage.ForeColor=System.Drawing.Color.Red;}}///

///参数化查询预防SQL注入式攻击///

publicintcheckLogin(stringloginName,stringloginPwd){stringstrsql="selectcount(*)fromtb_LoginUserwhereUserName=@UserNameandPassWord=@PassWord";SqlConnectionconn=newSqlConnection("server=WRET-MOSY688YVW\\MRGLL;DataBase=db_08;uid=sa;pwd=;");if(conn.State.Equals(ConnectionState.Closed))//存在，判断是否关闭{conn.Open();//连接处于关闭状态，重新打开}SqlCommandsqlcom=newSqlCommand(strsql,conn);sqlcom.Parameters.Add(newSqlParameter("@UserName",SqlDbType.NVarChar,50));sqlcom.Parameters["@UserName"].Value=loginName;sqlcom.Parameters.Add(newSqlParameter("@PassWord",SqlDbType.NVarChar,50));sqlcom.Parameters["@PassWord"].Value=loginPwd;inti=(int)sqlcom.ExecuteScalar();conn.Close();returni;}}2、存储过程2.1Global.aspx：voidApplication_Start(objectsender,EventArgse){//在应用程序启动时运行的代码Application["count"]=0;}voidApplication_End(objectsender,EventArgse){//在应用程序关闭时运行的代码}voidApplication_Error(objectsender,EventArgse){//在出现未处理的错误时运行的代码}voidSession_Start(objectsender,EventArgse){//在新会话启动时运行的代码Application.Lock();Application["count"]=(int)Application["count"]+1;Application.UnLock();}voidSession_End(objectsender,EventArgse){//在会话结束时运行的代码。//注意:只有在Web.config文件中的sessionstate模式设置为//InProc时，才会引发Session_End事件。如果会话模式//设置为StateServer或SQLServer，则不会引发该事件。Application.Lock();Application["count"]=(int)Application["count"]-1;Application.UnLock();}2.2：用户控件：usingSystem.Data.SqlClient;publicpartialclassUserControl_User_Login:System.Web.UI.UserControl{protectedvoidPage_Load(objectsender,EventArgse){}protectedvoidimgbtnEnter_Click(objectsender,ImageClickEventArgse){if(txtUserID.Text!=""){inti=checkLogin(txtUserID.Text,txtPwd.Text);if(i>0){lblMessage.Text="您是合法用户！";lblMessage.ForeColor=System.Drawing.Color.Blue;}else{lblMessage.Text="用户名不存在！";lblMessage.ForeColor=System.Drawing.Color.Red;}}else{lblMessage.Text="用户名不能为空！";lblMessage.ForeColor=System.Drawing.Color.Red;}}///

///调用存储过程有效果预防SQL注入式攻击///

publicintcheckLogin(stringloginName,stringloginPwd){//创建数据库连接对象SqlConnectionconn=newSqlConnection("server=WRET-MOSY688YVW\\MRGLL;DataBase=db_08;uid=sa;pwd=;");if(conn.State.Equals(ConnectionState.Closed))//存在，判断是否关闭{conn.Open();//连接处于关闭状态，重新打开}SqlCommandsqlcom=newSqlCommand("getLoginUser",conn);sqlcommandType=CommandType.StoredProcedure;//指定数据操作为存储过程sqlcom.Parameters.Add(newSqlParameter("@UserName",SqlDbType.NVarChar,50));sqlcom.Parameters["@UserName"].Value=loginName;sqlcom.Parameters.Add(newSqlParameter("@PassWord",SqlDbType.NVarChar,50));sqlcom.Parameters["@PassWord"].Value=loginPwd;inti=(int)sqlcom.ExecuteScalar();conn.Close();returni;}}2.3：Default.aspx:usingSystem.Data.SqlClient;publicpartialclass_Default:System.Web.UI.Page{publicSqlConnectionsqlcon=newSqlConnection(ConfigurationSettings.AppSettings["ConnStr"]);protectedvoidPage_Load(objectsender,EventArgse){Label3.Text="您是该网站的第["+Application["count"].ToString()+"]访问者!";}}