parameter imperative prevents SQL injection

1. Complete the storage process in the database first

Create proc usp_selectstudent @studentName nvarchar (ten)  as Select * where Studentname=@studentNanmeGo

2. Then call the stored procedure in the C # program to prevent SQL injection

    //1.1 Connection String    stringstr ="data source=.; Initial catalog=myschool;uid=sa;pwd=6375196"; //1.2 Creating a Connection object heheSqlConnection con =NewSqlConnection (str); //the second way to create a SqlCommand object//from Con//1.3 Building a Command object from a Connection objectSqlCommand cmd =con.    CreateCommand (); //1.4 Assigning the SQL statement that the command object needs to executeCmd.commandtext ="Usp_selectinfo"; //tell the SQL engine what I'm passing over is the name of the stored procedure//1.5 We tell the SQL engine that the string I sent over the network cable is the name of a stored procedure .Cmd.commandtype=CommandType.StoredProcedure; //1.6 Build the input parameters of the stored procedure, and assign values to the parameters,//the name of the parameter must be the same as the name of the input parameter that defines the stored procedureSqlParameter para=NewSqlParameter ("@sex","1"); //1.7 binding parameters and parameter collections of command objectscmd.     Parameters.Add (para); //1.8 Opening the database connection channel truly establishedcon.     Open (); //1.9 Building an adapter) Truck (ObjectSqlDataAdapter da=NewSqlDataAdapter (); //1.10 cmd objects and Da bindings that have been initialized wellDa. SelectCommand =cmd; //1.11 Building an in-memory DataSet objectDataSet ds=NewDataSet (); //1.12 carrying data from DB to a table in a datasetDa. Fill (DS,"Stuinfo"); //1.13 Point A DGV data source to a tableDgvlist.datasource = ds. tables["Stuinfo"]; //1.14 Connection offCon. Close ();

parameter imperative prevents SQL injection