解决方法
使用sql参数:
http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter(v=vs.80).aspx
这是C#中的一个例子
sqlCommand tCommand = new sqlCommand(); tCommand.Connection = new sqlConnection("YourConnectionString"); tCommand.CommandText = "UPDATE players SET name = @name,score = @score,active = @active WHERE jerseyNum = @jerseyNum"; tCommand.Parameters.Add(new sqlParameter("@name",System.Data.sqlDbType.VarChar).Value = "Smith,Steve"); tCommand.Parameters.Add(new sqlParameter("@score",System.Data.sqlDbType.Int).Value = "42"); tCommand.Parameters.Add(new sqlParameter("@active",System.Data.sqlDbType.Bit).Value = true); tCommand.Parameters.Add(new sqlParameter("@jerseyNum",System.Data.sqlDbType.Int).Value = "99"); tCommand.ExecuteNonQuery();
