public string strSql(string pPa) { return "SELECT XX FROM XXX WHERE XX='" + pPa + "'"; }
"SELECT XX FROM XXX WHERE XX='"+strXXX+"'"
"SELECT XX FROM XXX WHERE XX="+strXXX;
Sql Server:cmd.CommandText = "SELECT XX FROM XXX WHERE XX=@paramXXX";SqlParameter param = new SqlParameter("@paramXXX", SqlDbType.VarChar); param.Value = strXXX;cmd.Parameters.Add(param);Oracle: 上面的@paramXXX用:paramXXX代替
"SELECT XX FROM XXX WHERE XX='" + strXXX +"'"
用namhyuk(namhyuk) 的方法 在安全上面有好处
"SELECT XX FROM XXX WHERE XX= " + "'" + strXXX + "'"这样应该就可以了...
{
return "SELECT XX FROM XXX WHERE XX='" + pPa + "'";
}
param.Value = strXXX;cmd.Parameters.Add(param);Oracle:
上面的@paramXXX用:paramXXX代替
在安全上面有好处