使用c#进行错误sql查询

Question

请问如何转换这行代码:

 Dim da As New SqlDataAdapter("select * from View_1 where Words_Sh like N'" & Me.txbSearch.Text & "%'", con)

在c#中

  SqlDataAdapter da = new SqlDataAdapter("select * from View_1 where Words_Sh like N'" + this.txbSearch..Text + "%'", con);
// this line => error

Answer 1

你应该使用parameterized queries.这种字符串连接是开放的SQL Injection攻击.

你应该删除额外的点 this.txbSearch..Text

SqlCommand cmd = new SqlCommand("select * from View_1 where Words_Sh LIKE ' + @txbSearch + '%'", con);
cmd.Parameters.AddWithValue("@txbSearch", this.txbSearch.Text);
SqlDataAdapter da = new SqlDataAdapter(cmd, con);