标签:
1.参数化SQL语句与非参数化语句的区别
非参数化:
string sql = "SELECT TOP 1 * FROM [User] WHERE UserName = ‘” + userName + “‘ AND Password = ‘” + password + “‘”;
参数化:
SqlCommand cmd = new SqlCommand(“SELECT TOP 1 * FROM [User] WHERE UserName = @UserName AND Password = @Password“); cmd.Connection = conn; cmd.Parameters.AddWithValue(”UserName”, “user01″); cmd.Parameters.AddWithValue(”Password”, “123456″);
标签:
原文地址:http://www.cnblogs.com/robothy/p/5047075.html
