更新时间:2023-01-19 22:55:25
您只需做到这一点。
query = "Select * From Table Where Title = " + someone;
但是,这是不好的,并打开你的SQL注入
But that is bad and opens you to SQL Injection
您应该只使用一个参数化查询
You should just use a parameterized query
这样的事情应该让你开始
Something like this should get you started
using (var cn = new SqlClient.SqlConnection(yourConnectionString))
using (var cmd = new SqlClient.SqlCommand())
{
cn.Open();
cmd.Connection = cn;
cmd.CommandType = CommandType.Text;
cmd.CommandText = "Select * From Table Where Title = @Title";
cmd.Parameters.Add("@Title", someone);
}
从乔恩斯基特的回答,因为他比我更完整
From Jon Skeet's answer since his was more complete than mine
见的 SqlCommand.Parameters 了解详情
基本上你不应该在SQL本身因各种原因中嵌入你的价值观:
Basically you shouldn't embed your values within the SQL itself for various reasons: