（ADO.NET）SqlCommand參數(shù)化查詢

string strcon = "Persist Security Info=False;User id=sa;pwd=lovemary;database=student;server=(local) "; SqlConnection sql = new SqlConnection(strcon); sql.Open(); SqlCommand com = new SqlCommand();

com.Connection = sql;

com.CommandText = "delete from XSB where XH ='"+tbXH.text+"'";

直接這樣賦值會導致一個什么問題呢？比如用戶在tbXH（textbox屬性名）中輸入” 1‘or‘1’=’1‘ “；

這樣就會導致這句SQL語句，永遠成立，如delete from XSB where XH ='1’or‘1’=‘1’ 會導致刪掉表中所有記錄

如何解決呢？

用參數(shù)化查詢：

com.CommandText = "delete from XSB where XH = @XH";

com.Parameters.Add(new SqlParameter("@XH",tbXH.text));

以下幾種SQL語句均可用參數(shù)化查詢

"delete from XSB where XH = @XH"

"INSERT INTO XSB(XH,XM,XB,CSRQ,ZY,ZXF)VALUES(@Name,@Age,....)"

"select.....where = @.."

"update ...set Age = @.."