public DataTable CheckMember(M_Member model)
{
string sqlString = "select * from Members where MemberID=@MemberID and Password=@Password";
SqlParameter[] paremeters ={
new SqlParameter("@MemberID",SqlDbType.VarChar,50),
new SqlParameter("@Password",SqlDbType.Char,32)
};
paremeters[0].Value = model.MemberID;
paremeters[1].Value = model.Password;
return SqlHelp.GetDataTable(sqlString, paremeters);
}请问这个参数paremeters是干嘛用的
StringBuilder str = new StringBuilder();
str.AppendFormat("select * from Members where MemberID={0} and Password={1}", model.MemberID.ToString(), model.Password.ToString());
return SqlHelp.GetDataTable(str.ToString());哦,那像上面这样写和带参数的写法有没有太大区别
可以参照http://topic.csdn.net/t/20040612/09/3085326.html
这个是用参数,防止sql注入,"select * from Members where MemberID={0} and Password={1}", model.MemberID.ToString(), model.Password.ToString());这个拼凑sql语句,可能会被注入。