1 using (SqlConnection conn = new SqlConnection("Data Source=.; Initial Catalog=MyTest;User ID=sa;Password=123456"))
2 {
3 conn.Open();
4 using (SqlCommand cmd = conn.CreateCommand())
5 {
6 // 输入 1' or '1'='1 会造成SQL注入漏洞
7 // cmd.CommandText = "select age from T_STudent where Name='"+txtName.Text+"'";
8
9 cmd.CommandText = "select age from T_Student where Name=@Name or Age>@aaa";
10
11
12 cmd.Parameters.Add(new SqlParameter("@Name", txtName.Text));
13 cmd.Parameters.Add(new SqlParameter("@aaa"
14 , Convert.ToInt32(txtAGe.Text)));
15 //insert into .... values(@Name,@Age)
16 //delete .... where Id=@HahahId
17 //update t1 set Age=@myage
18
19 //@参数不能用来替换表名、字段名、select之类的关键字等
20 //cmd.CommandText = "select age from @TableName";
21 //cmd.Parameters.Add(new SqlParameter("@TableName", "T_Student"));
22
23 //cmd.Parameters.Add(new SqlParameter("@Name", txtName));//初学者不要写错成这样
24 using (SqlDataReader reader = cmd.ExecuteReader())
25 {
26 while (reader.Read())
27 {
28 //GetInt32获得的是int类型
29 //GetInt64获得的是long类型(数据库中是bigint)
30 int age = reader.GetInt32(0);
31 MessageBox.Show(age.ToString());
32 }
33 }
34 }
35 }
36
