C#操作sql server

//1.創建連接字符串

 string strCnn = "server=.;database=students;integrated security=true"; 

       // string strCnn = "server=.;database=students;uid=sa;pwd=123";

        SqlConnection sqlCnn = new SqlConnection();
        sqlCnn.ConnectionString = strCnn;

//2.創建查詢命令、

        SqlCommand sqlCmm = new SqlCommand();
       sqlCmm.Connection = sqlCnn;

sqlCmm.CommandText = "select * from student";

//3.數據適配器

 SqlDataAdapter sqlDA = new SqlDataAdapter(sqlCmm);//能自動創建sqlCnn.Open();SqlCnn.Close();

       // SqlDataAdapter sqlDA = new SqlDataAdapter("select * from student", strCnn);//讓SqlDataAdapter 自動創建連接，和生成SqlCommand.,自動管理連接，打開。
        DataSet ds = new DataSet();

        sqlDA.Fill(ds);//填充DateSet

//綁定到數據集。

        this.GridView1.DataSource = ds;
        this.GridView1.DataBind();

 sqlCmm.CommandText = string.Format("select count(*) from student where sname='{0}' and scity='{1}'",this.TextBox1.Text,this.TextBox2.Text);

 使用  拼接Sql查詢字符串的方法 很容易造成數據庫注入攻擊。

這樣用參數的方法就會很安全

sqlCmm.CommandText = “select Count(*) from student where sname=@sname and scity=@sctiy"
 cmd.Parameters.Clear();
 cmd.Parameters.Add(new SqlParameter("sname",this.TextBox1.Text));
 cmd.Parameters.Add(new SqlParameter("scity",this.TextBox2.Text));