在ASP.net中将变量添加到字符串

Question

Ok, so it's easy in VB, but I can't figure it out in C#:

SqlCommand cmd = new SqlCommand("SELECT COUNT(*) FROM tblUsers WHERE username = '" & username & "'", cn);

This throws

 CS0019: Operator '&' cannot be applied to operands of type 'string' and 'string'

Googled it and can't find an answer, help this newbie here please!

Answer 1

Use + to concatentate strings. & functions as either a unary or a binary operator.

However, the correct answer is to use parameterized queries!

The method you are using is subject to SQL injection attacks.

Answer 2

You've already got six (and counting) recommendations to use + instead of &. However, you'd be much better off in the long run to use a parameterized query instead of concatenating a variable directly into the SQL statement. By concatenating, especially if that's user input, you are wide open for SQL injection attacks. By using parameters, you block SQL injection.

SqlCommand cmd = new SqlCommand("SELECT COUNT(*) FROM tblUsers WHERE username = @user");
cmd.Parameters.AddWithValue("@user",  username);

Answer 3

使用“ +”代替“＆”

Answer 4

+是C＃中的字符串连接运算符。

Answer 5

Use a "+" instead of "&"

SqlCommand cmd = new SqlCommand("SELECT COUNT(*) FROM tblUsers WHERE username = '" + username + "'", cn);

Answer 6

Use + instead

ie

'" + username + "'"

Answer 7

我更喜欢这种类型的另一个选项是String.Format：

SqlCommand cmd = new SqlCommand(String.Format("SELECT COUNT(*) FROM tblUsers WHERE username = '{0}'",username ), cn);