string strcon = "Persist Security Info=False;User id=sa;pwd=lovemary;database=student;server=(local) ";
SqlConnection sql = new SqlConnection(strcon);
sql.Open();
SqlCommand com = new SqlCommand();
com.Connection = sql;
com.CommandText = "delete from XSB where XH ='"+tbXH.text+"'";
直接这样赋值会导致一个什么问题呢?比如用户在tbXH(textbox属性名)中输入” 1‘or‘1’=’1‘ “;
这样就会导致这句SQL语句,永远成立,如delete from XSB where XH ='1’or‘1’=‘1’ 会导致删掉表中所有记录
如何解决呢?
用参数化查询:
com.CommandText = "delete from XSB where XH = @XH";
com.Parameters.Add(new SqlParameter("@XH",tbXH.text));
以下几种SQL语句均可用参数化查询
"delete from XSB where XH = @XH"
"INSERT INTO XSB(XH,XM,XB,CSRQ,ZY,ZXF)VALUES(@Name,@Age,.... )"
"select.....where = @.."
"update ...set Age = @.."