1.参数化SQL语句与非参数化语句的区别
非参数化:
string sql = "SELECT TOP 1 * FROM [User] WHERE UserName = ‘” + userName + “‘ AND Password = ‘” + password + “‘”;
参数化:
SqlCommand cmd = new SqlCommand(“SELECT TOP 1 * FROM [User] WHERE UserName = @UserName AND Password = @Password“); cmd.Connection = conn; cmd.Parameters.AddWithValue(”UserName”, “user01″); cmd.Parameters.AddWithValue(”Password”, “123456″);
时间: 2024-10-20 15:54:39