string username = "huixing";
string password = "oibk';delete from user; ";
MySqlCommand cmd1 = new MySqlCommand("insert into user set username = ‘ “+username+" ' "+" , password= ' "+password+" ’ ", conn);
cmd1.Parameters.AddWithValue("jk", username);
cmd1.Parameters.AddWithValue("pwd", password);
cmd1.ExecuteNonQuery();
为了解决这种,应该采用下面这种方式
jk与pwd是我们自己定义的符号
string username = "huixing";
string password = "oibk';delete from user; ";
MySqlCommand cmd1 = new MySqlCommand("insert into user set username =@jk, password = @pwd", conn);
cmd1.Parameters.AddWithValue("jk", username);
cmd1.Parameters.AddWithValue("pwd", password);
cmd1.ExecuteNonQuery();
删除
MySqlCommand cmd2 = new MySqlCommand("delete from user where id = @id", conn);
cmd2.Parameters.AddWithValue("id", 10);
cmd2.ExecuteNonQuery();
更改
MySqlCommand cmd3 = new MySqlCommand("update user set password = @pwd where id = 13", conn);
cmd3.Parameters.AddWithValue("pwd", "shabi");
cmd3.ExecuteNonQuery();