string strcon = "Persist Security Info=False;User id=sa;pwd=lovemary;database=student;server=(local) ";
SqlConnection sql = new SqlConnection(strcon);
sql.Open();
SqlCommand com = new SqlCommand();
com.Connection = sql;
com.CommandText = "delete from XSB where XH ='"+tbXH.text+"'";
直接這樣賦值會導致一個什麼問題呢?比如用戶在tbXH(textbox屬性名)中輸入” 1‘or‘1’=’1‘ “;
這樣就會導致這句SQL語句,永遠成立,如delete from XSB where XH ='1’or‘1’=‘1’ 會導致刪掉表中所有記錄
如何解決呢?
用參數化查詢:
com.CommandText = "delete from XSB where XH = @XH";
com.Parameters.Add(new SqlParameter("@XH",tbXH.text));
以下幾種SQL語句均可用參數化查詢
"delete from XSB where XH = @XH"
"INSERT INTO XSB(XH,XM,XB,CSRQ,ZY,ZXF)VALUES(@Name,@Age,.... )"
"select.....where = @.."
"update ...set Age = @.."
