（ADO.NET）SqlCommand参数化查询

（ADO.NET）SqlCommand参数化查询string strcon = "Persist Security Info=False;User id=sa;pwd=lovemary;database=student;server=(local) "; SqlConnection sql = new SqlConnection(strcon); sql.Open(); SqlCommand com = new SqlCommand();

com.Connection = sql;

com.CommandText = "delete from XSB where XH ='"+tbXH.text+"'";

直接这样赋值会导致一个什么问题呢？比如用户在tbXH（textbox属性名）中输入” 1‘or‘1’=’1‘ “；

这样就会导致这句SQL语句，永远成立，如delete from XSB where XH ='1’or‘1’=‘1’ 会导致删掉表中所有记录

如何解决呢？

用参数化查询：

com.CommandText = "delete from XSB where XH = @XH";

com.Parameters.Add(new SqlParameter("@XH",tbXH.text));

以下几种SQL语句均可用参数化查询

"delete from XSB where XH = @XH"

"INSERT INTO XSB(XH,XM,XB,CSRQ,ZY,ZXF)VALUES(@Name,@Age,....)"

"select.....where = @.."

"update ...set Age = @.."