C#连接数据库查询


        private void button2_Click(object sender, EventArgs e)
        {  string s = textBox2.Text;
            SqlConnection cn = new SqlConnection("Data Source=.\\SQLEXPRESS;DataBase=MyDatas;Integrated Security=True;");
                cn.Open();
                string str=("select Name from Stu where Id=s");
                 SqlCommand cmd=new SqlCommand(str,cn); 
                
                 
                    SqlDataReader Dr = cmd.ExecuteReader();
                   
                while (Dr.Read())
                {
                    string name = Dr.GetString(0);
                    textBox3.Text = name;
                     
                }         }就是那个查询条件查询学生的Id,怎么把文本框输入的s的值传给Id啊?????不会,,急啊,在线等各位大哥大姐帮忙!数据库C#

解决方案 »

  1.   

    string str=("select Name from Stu where Id=" + s);
      

  2.   

    字符串拼接或者参数化查询。后者能有效防止SQL注入攻击。
      

  3.   

    这样可能不太安全 有可能出现sql注入
    最好用加参数的方式
      

  4.   

    using System;
    using System.Collections.Generic;
    using System.ComponentModel;
    using System.Data;
    using System.Drawing;
    using System.Linq;
    using System.Text;
    using System.Data.OleDb;
    using System.Windows.Forms;
    using System.Data.SqlClient;
    using System.Reflection;namespace 连接
    {
        public partial class Form1 : Form
        {
            public Form1()
            {
                InitializeComponent();
              // string b=a;
            }        private void button1_Click(object sender, EventArgs e)
            {
                Application.Exit();
            }        private void Form1_Load(object sender, EventArgs e)
            {
                DataSet ds= new DataSet();            SqlConnection cn = new SqlConnection("Data Source=.\\SQLEXPRESS;DataBase=MyDatas;Integrated Security=True;");
                string sql="select * from Stu";
                    
                    cn.Open();
                    SqlDataAdapter da=new SqlDataAdapter(sql,cn);
                da.Fill(ds);
                dataGridView1.DataSource=ds.Tables[0];
     
                
            }        private void dataGridView1_CellClick(object sender, DataGridViewCellEventArgs e)
            {
                int row = dataGridView1.CurrentCell.RowIndex;
                textBox1.Text = dataGridView1[0, row].Value.ToString();
                         }        private void button2_Click(object sender, EventArgs e)
            {  string s = textBox2.Text;
                SqlConnection cn = new SqlConnection("Data Source=.\\SQLEXPRESS;DataBase=MyDatas;Integrated Security=True;");
                    cn.Open();
                    string str=("select Name from Stu where Id="+s);
                     SqlCommand cmd=new SqlCommand(str,cn); 
                    
                     
                        SqlDataReader Dr = cmd.ExecuteReader();
                       
                    while (Dr.Read())
                    {
                        string name = Dr.GetString(0);
                        textBox3.Text = name;
                         
                    }         }