How to use SQL statements to prevent injection attacks?

halala

I heard that you can use sqlcommand Parameters to prevent injection attacks
I wrote the following statement:
string sql = "select * from members where userName = @ name";
OleDbCommand cmd = new OleDbCommand (sql, con);
con.Open ();
 // Prevent injection attacks
cmd.Parameters.Add ("@ name", OleDbType.VarChar, 50);
cmd.Parameters ["@ name"]. Value = this.TextBox1.Text;
If I now type "'" (comma) in textbox1, what is the value of sql?
I do n’t understand, that big brother helped write about it ~
Let's say I want to change "'" (comma) to "" (space)

393736105

This can be prevented with stored procedures.

halala

Can you be more detailed? explain

ottmann

Using stored procedures

halala

How to use it?
For example, I want to turn commas into spaces?

22151146

Use parameters, don't spell the values.
Some problems cannot be solved using stored procedures.

halala

To use parameters is to use the statement I just wrote? But I didn't find any conversion during debugging?
How to write the correct sentence?

22151146

If you enter ",", the generated SQL statement is equivalent to:
"select * from members where userName = ','"
If you want to replace, you can
cmd.Parameters ["@ name"]. Value = this.TextBox1.Text.Replace (",", "") `;

halala

Still not good, I wrote it like this
 OleDbConnection con = new OleDbConnection ("server = hp; uid = sa; pwd = sa; database = test; Provider = SQLOLEDB");
           string sql = "select * from members where userName = @ userName";
            OleDbCommand cmd = new OleDbCommand (sql, con);
           con.Open ();
           // Prevent injection attacks
           cmd.Parameters.Add ("@ userName", OleDbType.VarChar, 50);
           cmd.Parameters ["@ userName"]. Value = this.TextBox1.Text.Replace ("'", "");
           The value of sql is still select * from members where userName = @ userName
Where is wrong? Urgent ~

枫叶之龙

Use parameters, do not use string dynamic splicing into SQL statements, generally no problem