sql like参数化查询
如下例所示,这样做了后再也不担心sql注入了。。。。
public static DataTable GetProPriEEfocusNew(string ProName) { StringBuilder strSql = new StringBuilder(); strSql.Append("select dbo.GetStock(StockNum) StockNum,X_ProName,X_ProId,Erp_ProName,MOQ,IsPromotions,IsOther from X_Product"); strSql.AppendFormat(" where X_ProName like @ProName and ManId=25 and IsHkStock=0 and IsDeleted=0 and IsOther in (0,3) and IsSell=0 and IsExport=0 and IsShow=0", ProName.Replace("xx", "%").Replace("x", "%")); SqlParameter[] parameters = { new SqlParameter("@ProName", SqlDbType.NVarChar,50) }; parameters[0].Value = "%" + ProName + "%"; IDataAccess access = DataCenter.GetDbConnection(); return access.DsCommandSql(strSql.ToString(), parameters).Tables[0]; }