1、添加数据库连接字符串
App.config或Web.config
在<configuration></configuration>
<connectionStrings>
<add name="connectionStr" connectionStrings="server=.;database=mydata;uid=sa;pwd=123456"/>
</connectionStrings>
2、程序中引用连接字符串
public string constr=ConfigurationManager.ConnectionStrings["connectionStrings"].ConnectionString;
3、编写SQL语句
string sql="select * from Student";
4、参数化替换(SqlParameter)
int id=1;
string sql="select StuName,StuNum, from Student where Id=@id";
SqlConnection con=new SqlConnection(constr);
SqlCommand cmd = new SqlCommand(sql,con);
SqlParameter par=new SqlParameter("@id",id);
cmd.Parameters.Add(par);
5、解决SQL注入攻击的办法就是通过SqlParameters参数来查询。