string sql = "SELECT * FROM USERS WHERE USERNAME=@NAME AND USERPWD=@PWD"; string conStr="server=(local);database=webuser;uid=sa;pwd=;" SqlConnection con=new SqlConnection (conStr); SqlCommand cmd; 方法一: cmd = new SqlCommand(); cmd.CommandText = sql; cmd.Connection = con; cmd.Parameters.AddWithValue("@NAME", U.Name); cmd.Parameters.AddWithValue("@PWD",U.Pwd); 方法二: cmd = new SqlCommand(sql, con); cmd.Parameters.Add(new SqlParameter("@NAME", SqlDbType.NVarChar)); cmd.Parameters["@NAME"].Value = U.Name; cmd.Parameters.Add(new SqlParameter("@PWD", SqlDbType.NVarChar)); cmd.Parameters["@PWD"].Value = U.Pwd;