//1.創建連接字符串
string strCnn = "server=.;database=students;integrated security=true";
// string strCnn = "server=.;database=students;uid=sa;pwd=123";
SqlConnection sqlCnn = new SqlConnection();
sqlCnn.ConnectionString = strCnn;
//2.創建查詢命令、
SqlCommand sqlCmm = new SqlCommand();
sqlCmm.Connection = sqlCnn;
sqlCmm.CommandText = "select * from student";
//3.數據適配器
SqlDataAdapter sqlDA = new SqlDataAdapter(sqlCmm);//能自動創建sqlCnn.Open();SqlCnn.Close();
// SqlDataAdapter sqlDA = new SqlDataAdapter("select * from student", strCnn);//讓SqlDataAdapter 自動創建連接,和生成SqlCommand.,自動管理連接,打開。
DataSet ds = new DataSet();
sqlDA.Fill(ds);//填充DateSet
//綁定到數據集。
this.GridView1.DataSource = ds;
this.GridView1.DataBind();
sqlCmm.CommandText = string.Format("select count(*) from student where sname='{0}' and scity='{1}'",this.TextBox1.Text,this.TextBox2.Text);
使用 拼接Sql查詢字符串的方法 很容易造成數據庫注入攻擊。
這樣用參數的方法就會很安全
sqlCmm.CommandText = “select Count(*) from student where sname=@sname and scity=@sctiy" cmd.Parameters.Clear(); cmd.Parameters.Add(new SqlParameter("sname",this.TextBox1.Text)); cmd.Parameters.Add(new SqlParameter("scity",this.TextBox2.Text));