我有一些疑问（到acccess数据库）是这样的：

I have some queries (to an acccess database) like this :

string comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL='" + user + "' AND PASSWORD_AZIENDA='" + password + "'";

和我想逃用户和密码，preventing注射。

and I'd like to "escape" user and password, preventing an injection.

我怎样才能做到这一点用C＃和.NET 3.5？我在寻找出头像函数mysql_escape_string PHP的...

How can I do it with C# and .NET 3.5? I'm searching somethings like mysql_escape_string on PHP...

推荐答案

您需要使用的参数。好了不要有，但将是preferable。

You need to use parameters. Well dont have to but would be preferable.

SqlParameter[] myparm = new SqlParameter[2];
myparm[0] = new SqlParameter("@User",user);
myparm[1] = new SqlParameter("@Pass",password);

string comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL=@User AND PASSWORD_AZIENDA=@Pass";