Today I see a friend talking about the database SQL injection problem is more complex, wrote a simple case for your reference:
SqlConnection con =NewSqlConnection (MYSQL); //using SqlParameter to prevent SQL injection and some binary stream problems (slices)//SqlParameter sp = new SqlParameter ("@username", sqldbtype.varchar,20); 1: Production of the parameter named @username, 2: The type of the corresponding database, 3: The length of the string//sp. Value = TxtUserName.Text.Trim (); Assigning values to parameters//com. Parameters.Add (SP); Add to COM object//you can write the situation in brief .Sqlparameter[] sp = {NewSqlParameter ("@userName", TxtUserName.Text.Trim ()),NewSqlParameter ("@userPwd", TxtUserPwd.Text.Trim ())}; stringstr ="SELECT * from userlogin where [email protected] and [email protected]";//no single quotes requiredSqlCommand com =NewSqlCommand (str, con); Com. Parameters.addrange (SP); Con. Open (); SqlDataReader SDR= com. ExecuteReader ();
The first posting, if there is improper also hope that Daniel pointed twos, thank you.