参数化 SQL 查询语句
有时候插入数据到SQL的时候内容中会有单引号“ ' ”,这个时候一般的查询语句就会出错。
解决方法有几个,一是存储过程,二是参数化查询语句。今天就讲讲第二种
StringBuilder sqlText = new StringBuilder(@" UPDATE tb SET content = @QTY ");
string parameter="内容";
SqlCommand comm = new SqlCommand(sql.ToString());
SqlParameter parms = new SqlParameter();
parms.SqlDbType = SqlDbType.Text;
parms.ParameterName = "QTY";
parms.Value = parameter;
comm.Parameters.Add(parms);
comm.Connection = conn;
try
{
int i = comm.ExecuteNonQuery();
}
catch (Exception ex)
{
}
string parameter="内容";
SqlCommand comm = new SqlCommand(sql.ToString());
SqlParameter parms = new SqlParameter();
parms.SqlDbType = SqlDbType.Text;
parms.ParameterName = "QTY";
parms.Value = parameter;
comm.Parameters.Add(parms);
comm.Connection = conn;
try
{
int i = comm.ExecuteNonQuery();
}
catch (Exception ex)
{
}
