参数化SQL语句进行模糊查找

//定义sql = "SELECT StudentID,StudentNO,StudentName FROM Student WHERE StudentName like @StudentName";

//给参数赋值

command.Parameters.AddWithValue("@StudentName", txtStudentName.Text+"%");