用sqlcommand参数化查询,怎么把数据写入datatable ?
这是原来的代码,听说会被注入攻击
string sql1 = "select * from article where time="+param+"";
SqlDataAdapter sda1 = new SqlDataAdapter(sql1, conn);
DataSet ds1 = new DataSet();
sda1.Fill(ds1);
DataTable dt1 = ds1.Tables[0];
SqlCommand sc = new SqlCommand("select * from article where time=@p");sqlcommand 参数化查询 datatable
sc.Connection = conn;
sc.Parameters.AddWithValue("p","'"+param+"'");
DataTable dt1 = ds1.Tables[0];
DataSet ds = new DataSet();
SqlCommand sc = new SqlCommand("select * from article where time=@p");
sc.Connection = conn;
sc.Parameters.AddWithValue("@p", "'" + param + "'");
SqlDataAdapter sda = new SqlDataAdapter(sc);
sda.Fill(ds);