这里给大家讲解一种带参数的SQL语句,在实际开发中防止SQL注入。
public int ExecuteNonQuery()
{
string cmdText = "insert into Employee(EmployeeName, Gender, NowAddress) values(@EmployeeName,@Gender,@NowAddress)";
SqlParameter[] parameters = new SqlParameter[]
{
new SqlParameter("@EmployeeName","Kiter25"),
new SqlParameter("@Gender","男"),
new SqlParameter("@NowAddress","天津")
};
SqlConnection sqlConnection = new SqlConnection(connstring);
SqlCommand cmd = new SqlCommand(cmdText, sqlConnection);
cmd.Parameters.AddRange(parameters);
try
{
sqlConnection.Open();
return cmd.ExecuteNonQuery();
}
catch (SqlException ex)
{
throw new Exception("ExecuteNonQuery异常:"+ex.Message);
}
finally
{
sqlConnection.Close();
}
}