ASP.NET防SQL注入之SqlParameter的使用介绍

string strOrderID = this.textBox1.Text.Trim().ToString();  
           string strCustomerID = this.textBox2.Text.Trim().ToString();  
           //被SQL注入的拼SQL的句子是这么写的  
           //string strSql = "Select * from [Orders] Where OrderId = '" + strOrderID + "' AND CustomerID = '" + strCustomerID + "'";  
           //防止SQL注入的拼SQL的句子是这么写的  
           string strSql = "Select * from [Orders] Where OrderId = @strOrderID  AND CustomerID = @strCustomerID";  
           //加sqlParameter变量  
           SqlCommand myCommand = new SqlCommand(strSql, con);  
           SqlParameter prOrderId = new SqlParameter("@strOrderID", SqlDbType.VarChar, 64);  
           prOrderId.Value = strOrderID;  
           myCommand.Parameters.Add(prOrderId);  
           //加sqlParameter变量  
           SqlParameter prCustomerID = new SqlParameter("@strCustomerID", SqlDbType.VarChar, 64);  
           prCustomerID.Value = strCustomerID;  
           myCommand.Parameters.Add(prCustomerID);