string strsql = "update board set title=@Title where board_ID=@Board_ID";
跟
string strsql="update board set title='"+title+"'where board_id="+board+";
有什么区别啊????????
跟
string strsql="update board set title='"+title+"'where board_id="+board+";
有什么区别啊????????
title 是.net中的变量
实际应用效果是一样的
第二种情况下,直接赋值
直接在.net中操作
第二种情况下,直接赋值,如果要防止sql注入式攻击需要另外过滤字符串
public string FunStr(string str)
{
str = str.Replace("&","&");
str = str.Replace("<","<");
str = str.Replace(">",">");
str = str.Replace("'","''");
str = str.Replace("*","");
str = str.Replace("\n", "<br/>");
str = str.Replace("\r\n", "<br/>");
str = str.Replace("?","");
str = str.Replace("select","");
str = str.Replace("insert","");
str = str.Replace("update","");
str = str.Replace("delete","");
str = str.Replace("cr0eate","");
str = str.Replace("drop","");
str = str.Replace("delcare","");
str = str.Replace(" ", " "); str = str.Trim();
if(str.Trim().ToString()=="")
str = "";
return str;
}