SqlCommand parameterized query and SqlCommand parameterization

SqlCommand parameterized query and SqlCommand parameterization

String strcon = "Persist Security Info = False; User id = sa; pwd = lovemary; database = student; server = (local )";
SqlConnection SQL = new SqlConnection (strcon );
SQL. Open ();
SqlCommand com = new SqlCommand ();

Com. Connection = SQL;

Com. CommandText = "delete from XSB where XH = '" + tbXH. text + "'";

What is the problem caused by direct assignment? For example, you can enter "1" or "1" = "1" in tbXH (textbox attribute name).

This will cause this SQL statement to remain valid forever. For example, if delete from XSB where XH = '1' or '1' = '1', all records in the table will be deleted.

How can this problem be solved?

Parameterized query:

Com. CommandText = "delete from XSB where XH = @ XH ";

Com. Parameters. Add (new SqlParameter ("@ XH", tbXH. text ));

The following SQL statements can be parameterized for query:

"Delete from XSB where XH = @ XH"

"Insert into xsb (XH, XM, XB, CSRQ, ZY, ZXF) VALUES (@ Name, @ Age ,....)"

"Select... where = @.."

"Update... set Age = @.."