SQL 注入 参数化

StringBuilder sbSelect = new StringBuilder();

System.Data.OracleClient.OracleParameter[] parms = { };
ArrayList listParms = new ArrayList();
string sqlgetobject = "select t.* from table t where t.id= :ID ";
listParms.Add(new System.Data.OracleClient.OracleParameter(":ID ", this.ID));
parms = (System.Data.OracleClient.OracleParameter[])listParms.ToArray(typeof(System.Data.OracleClient.OracleParameter));

DataTable dteval = bll.GetbySql(sqlgetobject, parms);

SQL 注入 参数化

原文：https://www.cnblogs.com/jtcr/p/12123511.html