更新时间:2023-11-05 23:24:40
永远不要建立SQL语句这样的,这是非常不安全的 (阅读)。使用参数,即:
Don't ever build SQL statements like that, it's very unsafe (read this). Use parameters, i.e:
var command = new SqlCommand("select * from person where firstname = @firstname");
SqlParameter param = new SqlParameter();
param.ParameterName = "@firstname";
param.Value = "testing12'3";
command.Parameters.Add(param);