一:
sql = "select * from users where username='"+uname+"' and userpassword ='"+upassword+"'";
二:
sql = "select * from users where username=@uname and userpassword =@upassword";
三:
sql=String.format("select * from users where username='{0}' and userpassword='{1}'",uname,upassword);
注:其中'uname'和'upassword'是参数,最好用第一种的拼接方式,容易出错,也不安全。