//解决SQL注入漏洞 cmd是SqlCommand对象
cmd.CommandText = @"select count(*) from UserInfo where UserName=@UserName and UserPwd=@UserPwd";
cmd.Parameters.AddWithValue("@UserName",txtUserName.Text); //SQL参数化
cmd.Parameters.AddWithValue("@UserPwd",txtUserPwd.Text);
object result = cmd.ExecuteScalar();