SQL 参数的方式 编码
string a = TextBox1.Text;//不必担心注入脚本攻击
string b = TextBox2.Text;
System.Data.SqlClient.SqlConnection cnn = new System.Data.SqlClient.SqlConnection("连接字符串");
System.Data.SqlClient.SqlCommand cm = new System.Data.SqlClient.SqlCommand();
cm.Connection = cnn;
cm.CommandText = "insert into table1 (field1,field2) values(@field1,@field2)";
cm.Parameters.Add("@field1",SqlDbType.VarChar);
cm.Parameters["@field1"].Value = a;
cm.Parameters.Add("@field2",SqlDbType.VarChar);
cm.Parameters["@field2"].Value = b;
cnn.Open();
cm.ExecuteNonQuery();
string b = TextBox2.Text;
System.Data.SqlClient.SqlConnection cnn = new System.Data.SqlClient.SqlConnection("连接字符串");
System.Data.SqlClient.SqlCommand cm = new System.Data.SqlClient.SqlCommand();
cm.Connection = cnn;
cm.CommandText = "insert into table1 (field1,field2) values(@field1,@field2)";
cm.Parameters.Add("@field1",SqlDbType.VarChar);
cm.Parameters["@field1"].Value = a;
cm.Parameters.Add("@field2",SqlDbType.VarChar);
cm.Parameters["@field2"].Value = b;
cnn.Open();
cm.ExecuteNonQuery();
cnn.Close();
\\http://www.cnblogs.com/no7dw/admin/EditPosts.aspx?opt=1