SqlParameter用法

if (id != null)
{
sql = @"update [User] set Username = @Username, Password = @Password, Type = @UserType, FullName = @FullName, Telephone = @Telephone, Department = @Department where ID=" + id;
}
else
{
sql = @"insert into [User] (Username, Password, Type, FullName, Telephone, Department) values (@Username, @Password, @UserType, @FullName, @Telephone, @Department)";
}

SqlParameter[] parms = new SqlParameter[]
{
new SqlParameter("@UserType", usertype),
new SqlParameter("@Username", sname),
new SqlParameter("@Password", spwd),
new SqlParameter("@FullName", fullname),
new SqlParameter("@Telephone", telephone),
new SqlParameter("@Department", dept)
};
SqlConnection conn = new SqlConnection(scnn);
conn.Open();
SqlCommand cmd = new SqlCommand(sql, conn);
cmd.Parameters.AddRange(parms);
var row = cmd.ExecuteNonQuery();
conn.Close();