C # and SQL inject string attacks and prevent injection of word representable attacks

--in SQL--Create Ren's database and insert a messageCreate DatabaseRenGo UseRenGoCreate TableXinxi (Codenvarchar( -)Primary Key,--numberingNamenvarchar(50)--name)Insert  intoXinxiValues('1001','Zhangsan')

             for (; ; ) {                   BOOLb =false;//using intermediate variablesConsole.Write ("Please enter the number you want to modify:"); stringNo =Console.ReadLine (); //Search ShowSqlConnection zhancnn =NewSqlConnection ("server=.; Database=ren;user=sa;pwd=123");//Connection//Statement of OperationSqlCommand Zhancmd =zhancnn.                CreateCommand (); Zhancmd.commandtext="SELECT * from Xinxi where code= '"+ No +"'"; //statements that perform actionszhancnn.                Open (); SqlDataReader SS=Zhancmd.                ExecuteReader (); if(SS. HasRows)//whether there is data to be modified in the database{b=true; } zhancnn.                Close (); if(b = =true)//If you have the data you want to modify{Console.Write ("Find the ""+ No +"", please enter the name you want to modify:"); stringMingzi =Console.ReadLine (); Zhancmd.commandtext="Update Xinxi set name= '"+mingzi+"' where code= '"+no+"'"; Zhancnn.                    Open (); Zhancmd.                    ExecuteNonQuery (); Zhancnn.                    Close (); Console.WriteLine ("The changes are complete! ");  Break; }                Else//If you don't have the data you want to modify{Console.WriteLine ("The database does not have this message, please enter the correct code!! "); }} console.readline ();

When executing, note that I'm going to enter:

Then query the database, query all, become

To prevent this injection of text attacks, we need:

//in C # for (; ; ) {                   BOOLb =false;//using intermediate variablesConsole.Write ("Please enter the number you want to modify:"); stringNo =Console.ReadLine (); //Search ShowSqlConnection zhancnn =NewSqlConnection ("server=.; Database=ren;user=sa;pwd=123");//Connection//Statement of OperationSqlCommand Zhancmd =zhancnn.                CreateCommand (); Zhancmd.commandtext="SELECT * from Xinxi where code= '"+ No +"'"; //statements that perform actionszhancnn.                Open (); SqlDataReader SS=Zhancmd.                ExecuteReader (); if(SS. HasRows)//whether there is data to be modified in the database{b=true; } zhancnn.                Close (); if(b = =true)//If you have the data you want to modify{Console.Write ("Find the ""+ No +"", please enter the name you want to modify:"); stringMingzi =Console.ReadLine (); Zhancmd.commandtext = "update xinxi Set [email protected] where [email protected]; " ;//@ variable name: Placeholder. Note: [email protected] No quotes Zhancmd. Parameters.clear ();//must first empty all contents zhancmd. Parameters.Add ( "@mingzi", Mingzi);//similar to a hash table. The first value is arbitrarily taken, must be consistent with the above, and the second is the variable zhancmd. Parameters.Add ("@no"  , no); Zhancnn.                    Open (); Zhancmd.                    ExecuteNonQuery (); Zhancnn.                    Close (); Console.WriteLine ("The changes are complete! ");  Break; }                Else//If you don't have the data you want to modify{Console.WriteLine ("The database does not have this message, please enter the correct code!! "); }} console.readline ();
//If the same content was used in the execution window input, the result of the output is to process the "injected code" and "name to change" as a whole string. 

C # and SQL inject string attacks and prevent injection of word representable attacks