##**参数化处理sql**
Console.WriteLine("输入用户名");
string uid = Console.ReadLine();
Console.WriteLine("输入密码");
string pwd = Console.ReadLine();
//登陆
string connStr = @"server=.;dataBase=scott;uid=sa;pwd=123";
string sql = "select count(1) from Logintbl "
+" where uid=@uid and pwd=@pwd";
SqlParameter pUid = new SqlParameter("@uid",uid);
SqlParameter pPwd = new SqlParameter("@pwd",pwd);
int count;
using (SqlConnection conn = new SqlConnection(connStr))
{
using (SqlCommand cmd = new SqlCommand(sql, conn))
{
cmd.Parameters.Add(pUid);
cmd.Parameters.Add(pPwd);
conn.Open();
count = (int)cmd.ExecuteScalar();
}
}
Console.WriteLine(count);
Console.ReadKey();
//可避免用1’ or ‘1’=‘1 注入攻击
###很古老的处理方式
用pwd.Replace(" ’ “,” ’ ’ ");
这种方式是只是处理单引号‘,但是后面加上1’\n delete table的话也不行,不严谨
所以还是建议用参数化处理sql拼接问题