1、使用参数化SQL语句进行模糊查找的正确方法:
//定义sql语句
string sql = "SELECT StudentID,StudentNO,StudentName FROM Student WHERE StudentName like @StudentName";
//给参数赋值
command.Parameters.AddWithValue("@StudentName", txtStudentName.Text+"%");
2.错误做法1:
//定义sql语句
string sql = "SELECT StudentID,StudentNO,StudentName FROM Student WHERE StudentName like '@StudentName%'";
//给参数赋值
command.Parameters.AddWithValue("@StudentName", txtStudentName.Text);
3.错误做法2:
//定义sql语句
string sql = "SELECT StudentID,StudentNO,StudentName FROM Student WHERE StudentName like @StudentName%";
//给参数赋值
command.Parameters.AddWithValue("@StudentName", txtStudentName.Text);