我会使用String.Format方法为清楚起见
int i = Magic.Allper(string.Format("insert into tbl_notice values ('{0}','{1}','{2}','{3}','{4}','{5}','{6}')",
Label1.Text,
companyTxt.Text,
txtBranch.Text,
dateTxt.Text,
reportingTxt.Text,
venueTxt.Text,
eligibilityTxt.Text));
您可能还想创建一个扩展方法,以确保字符串安全地以此方式传递到SQL
public static string ToSqlFormat(this string mask, params string[] args)
{
List<string> safe = args.ToList();
safe.ForEach(a => a.Replace("'", "''"));
return string.Format(mask, safe);
}
这将让你写
string insert = "insert into tbl_notice values ('{0}','{1}','{2}','{3}','{4}','{5}','{6}')";
int i = Magic.Allper(insert.ToSqlFormat(
Label1.Text,
companyTxt.Text,
txtBranch.Text,
dateTxt.Text,
reportingTxt.Text,
venueTxt.Text,
eligibilityTxt.Text));
如何提问 - http://tinyurl.com/so-hints – Oded 2010-12-07 15:13:22
你得到了什么错误? – hvgotcodes 2010-12-07 15:14:09
http://en.wikipedia.org/wiki/SQL_injection – 2010-12-07 15:15:09