select * from UserInfo where Name='1' or '1'='1' and Pwd='1' or '1'='1'
登录名和密码输入1' or '1'='1会直接进入主窗体
参数化SQL语句后就会防止这种情况
string strSql = "SELECT ID FROM Admin WHERE Name=@Name and Pwd= @Pwd";
SqlParameter[] param = new SqlParameter[]
{
new SqlParameter("@Name", username) ,
new SqlParameter("@Pwd", pwd)
};if(SqlHelper.Exists(strSql,param)==true)