怎么样参数化输入？

  public int addSQL(string cmdText, params SqlParameter[] cmdParameters)
    {
        SqlCommand cmd = new SqlCommand();        using (SqlConnection cn = SqlOperation.GetConnection())
        {
            //通过PrePareCommand方法将参数逐个加入到SqlCommand的参数集合中
            PrepareCommand(cmd, cn, null, CommandType.Text, cmdText, cmdParameters);
            int i = cmd.ExecuteNonQuery();            //清空SqlCommand中的参数列表
            cmd.Parameters.Clear();
            return i;
        }
    }
private static void PrepareCommand(SqlCommand cmd, SqlConnection conn, SqlTransaction trans, CommandType cmdType, string cmdText, SqlParameter[] cmdParms)
    {        //判断数据库连接状态
        if (conn.State != ConnectionState.Open)
            conn.Open();
        cmd.Connection = conn;
        cmd.CommandText = cmdText;
        //判断是否需要事物处理
        if (trans != null)
            cmd.Transaction = trans;
        cmd.CommandType = cmdType;
        if (cmdParms != null)
        {
            foreach (SqlParameter parm in cmdParms)
                cmd.Parameters.Add(parm);
        }
    }参数化插入数据的时候如何调用addSQL()?

解决方案 »

免费领取超大流量手机卡，每月29元包185G流量+100分钟通话, 中国电信官方发货

addSQL("select * from a where id=@id",new SqlParameter("@id",1));
SqlParameter[] parameters={new SqlParameter("@id",1),new SqlParameter("@name","aa")}；
addSQL("select * from a where id=@id and name=@name",parameters);