//方法一:参数化查询。缺点:增大数据库的压力 string ConnectionString="";//数据库连接字串 string CustomerID = string.Empty; string CompanyName =string.Empty; string Address =string.Empty; using (SqlConnection cn = new SqlConnection(ConnectionString)) { cn.Open(); SqlCommand cmd = new SqlCommand("insert into Customers(CustomerID,CompanyName,Address) values(@CustomerID,@CompanyName,@Address)", cn); //cmd.Parameters.Add(new SqlParameter("@CustomerID", CustomerID)); 不会去与数据库匹配 cmd.Parameters.Add("@CustomerID", SqlDbType.NChar, 5, CustomerID);//这种设置的数据类型,长度都必须与数据库字段一致 cmd.Parameters.Add("@CompanyName", SqlDbType.NVarChar, 40, CompanyName); cmd.Parameters.Add("@Address", SqlDbType.NVarChar, 60, Address); cmd.ExecuteNonQuery(); cn.Close(); } //方法二:过滤输入的信息,检查是否存在危险字符。不必连接数据库 /// <summary> /// 检查输入的数据 是否存在危险字符 /// </summary> /// <param name="sUser"></param> /// <param name="sPwd"></param> /// <returns>返回一个bool值</returns> public bool CheckData(string sUser, string sPwd) { if (sUser.IndexOf("'") != -1 || sPwd.IndexOf("%") != -1) { return false; } return true; } //方法三:使用存储过程(简单代码) string ConnectionString = "";//数据库连接字串 string CustomerID = string.Empty; string CompanyName = string.Empty; string Address = string.Empty; using (SqlConnection cn = new SqlConnection(ConnectionString)) { cn.Open(); string Sql = "InsertUserProc";//存储过程名 SqlCommand cmd = new SqlCommand(Sql,cn); cmd.CommandType = CommandType.StoredProcedure; cmd.ExecuteNonQuery(); cn.Close(); }