更新时间:2023-01-19 17:11:36
你可以这样做
query = "Select * From Table Where Title = " + someone;
但这很糟糕,而且会让你面临 SQL 注入
But that is bad and opens you to SQL Injection
您应该只使用参数化查询
You should just use a parameterized query
这样的事情应该会让你开始
Something like this should get you started
using (var cn = new SqlClient.SqlConnection(yourConnectionString))
using (var cmd = new SqlClient.SqlCommand())
{
cn.Open();
cmd.Connection = cn;
cmd.CommandType = CommandType.Text;
cmd.CommandText = "Select * From Table Where Title = @Title";
cmd.Parameters.Add("@Title", someone);
}
来自 Jon Skeet 的回答,因为他的回答比我的更完整
From Jon Skeet's answer since his was more complete than mine
查看SqlCommand.Parameters 了解更多信息.
基本上,出于各种原因,您不应将值嵌入 SQL 本身:
Basically you shouldn't embed your values within the SQL itself for various reasons: