String Strcon = "Persist Security info=false; User id=sa;pwd=lovemary;database=student;server= (local) ";
SqlConnection sql = new SqlConnection (Strcon);
Sql. Open ();
SqlCommand com = new SqlCommand ();
Com. Connection = SQL;
Com.commandtext = "Delete from XSB where XH = '" +tbxh.text+ "'";
What is the problem of assigning a value directly? For example, the user enters "1 ' or ' 1 ' = ' 1 '" in the Tbxh (TextBox property name);
This will cause this SQL statement to always be established, such as delete from XSB where XH = ' 1 ' or ' 1 ' = ' 1 ' will result in the deletion of all records in the table
How to solve it?
Using parameterized Queries:
Com.commandtext = "Delete from XSB where XH = @XH";
Com. Parameters.Add (New SqlParameter ("@XH", Tbxh.text));
The following SQL statements are available as parameterized queries
"Delete from XSB where XH = @XH"
"INSERT into XSB (XH,XM,XB,CSRQ,ZY,ZXF) VALUES (@Name, @Age,....)"
"Select.....where = @ ..."
"Update ... set age = @ ..."
SqlCommand parameterized queries