SQL·Å×¢Èë¹ýÂ˹æÔò̽ÌÖ - .NET¼¼Êõ / ASP.NET

SQL·À×¢Èë×îÓÐЧµÄ·½·¨Ó¦¸Ã»¹ÊÇÓÃ@´«²ÎÊý»ò´æ´¢¹ý³Ì°É£¬²»¹ýÓÐһЩÌØÊâÓ¦Óó¡ºÏ£¬²»µÃ²»ÓÃsqlÃüÁî×Ö·û´®Æ´½Ó

ÎÊÌâÈçÏ£º
string sql = "where username='" + username + "'"

Çë½Ì´ó¼Ò£¬usernameÕâ¸ö±äÁ¿£¬ÒªÈçºÎ¹ýÂ˲ÅÄÜÈ·±£°²È«£¿
¿´¹ýһЩ·¶Àý£¬¹ýÂËÁË´óÁ¿¹Ø¼ü´ÊºÍ·ûºÅ£¬¸Ð¾õËƺõûÓбØÒª£¬
Èç¹ûÖ»¹ýÂ˵¥ÒýºÅ£¬×ã¹»°²È«ÁËÂð£¿

---

²ÎÊý»¯£¬ÆäËûµÄ¹ýÂËÌØÊâ×Ö·ûµÄ¶¼²»ÊǺܰ²È«

---

Èç¹û»Ø¸´£¬Ç뼯ÖÐÌÖÂÛ¹ýÂ˵ĹæÔò£¬ÒòΪÎÒµÄÓ¦Óó¡ºÏÎÞ·¨Ê¹ÓÃ@²ÎÊý»¯µÈÆäËûÊֶΣ¬±ØÐëÓÃÆ´½Ó

---

ÒýÓÃ

SQL·À×¢Èë×îÓÐЧµÄ·½·¨Ó¦¸Ã»¹ÊÇÓÃ@´«²ÎÊý»ò´æ´¢¹ý³Ì°É£¬²»¹ýÓÐһЩÌØÊâÓ¦Óó¡ºÏ£¬²»µÃ²»ÓÃsqlÃüÁî×Ö·û´®Æ´½Ó

ÎÊÌâÈçÏ£º
string sql = "where username='" + username + "'"

Çë½Ì´ó¼Ò£¬usernameÕâ¸ö±äÁ¿£¬ÒªÈçºÎ¹ýÂ˲ÅÄÜÈ·±£°²È«£¿
¿´¹ýһЩ·¶Àý£¬¹ýÂËÁË´óÁ¿¹Ø¼ü´ÊºÍ·ûºÅ£¬¸Ð¾õËƺõûÓбØÒª£¬
Èç¹ûÖ»¹ýÂ˵¥ÒýºÅ£¬×ã¹»°²È«ÁËÂð£¿

¿ªÍæЦ°É£¿ÄãÔõÖªÈκγÌÐòµÄÐèÇóÖеÄusernameÖÐÓÀÔ¶²»ÄÜÓе¥ÒýºÅ£¿

---

¹ýÂ˵¥ÒýºÅ£¬execµÈΣÏÕ×Ö·û¡£ÏÞÖÆ´«Èë×Ö·û´®³¤¶È
ÎÞÂۺδ¦Ê¹ÓÃÒ»°ã´«ÈëµÄ×Ö·û´®¶¼²»»áÌ«³¤£¬Èç¹û¶þ½øÖÆ×¢ÈëÎÞÐëµ¥ÒýºÅ£¬Î¨Ò»°²È«µÄ·½Ê½¾ÍÊÇÏÞÖƳ¤¶È

---

Â¥ÉÏ˵»°Ò»Õë¼û´¦Å®Ñª
Ï൱¾«±Ù

---

ΪʲôҪдÕâÑùµÄSQLÓï¾ä
` ´æ´¢¹ý³ÌÄѵÀ²»¿ÉÒÔ` 
 String.Format ÄѵÀ²»¿ÉÒÔ``

---

string sql = "where username='" + username + "'"
ÕâÖÖÇé¿öÏÂ×î¼òµ¥ÓÐЧµÄ·½·¨Êǽ«Ò»¸ö'Ìæ»»³É''¼´OK¡£
username.Replace("'"