SqlCommand parameterized query and SqlCommand parameterization
String strcon = "Persist Security Info = False; User id = sa; pwd = lovemary; database = student; server = (local )";
SqlConnection SQL = new SqlConnection (strcon );
SQL. Open ();
SqlCommand com = new SqlCommand ();
Com. Connection = SQL;
Com. CommandText = "delete from XSB where XH = '" + tbXH. text + "'";
What is the problem caused by direct assignment? For example, you can enter "1" or "1" = "1" in tbXH (textbox attribute name).
This will cause this SQL statement to remain valid forever. For example, if delete from XSB where XH = '1' or '1' = '1', all records in the table will be deleted.
How can this problem be solved?
Parameterized query:
Com. CommandText = "delete from XSB where XH = @ XH ";
Com. Parameters. Add (new SqlParameter ("@ XH", tbXH. text ));
The following SQL statements can be parameterized for query:
"Delete from XSB where XH = @ XH"
"Insert into xsb (XH, XM, XB, CSRQ, ZY, ZXF) VALUES (@ Name, @ Age ,....)"
"Select... where = @.."
"Update... set Age = @.."