用 parameterized queries 防止 SQL Injection

當用程式做資料庫操作時, 不建議把 SQL command 直接寫在 code 裡面, 因為這樣常會有背 SQL injection 的風險, 比較好的方式是使用 parameterized queries.

例如:

string stmt = "INSERT INTO dbo.Test(id, name) VALUES(@ID, @Name)";

SqlCommand cmd = new SqlCommand(smt, _connection);
cmd.Parameters.Add("@ID", SqlDbType.Int);
cmd.Parameters.Add("@Name", SqlDbType.VarChar, 100);

for (int i = 0; i < 10000; i++)
{
    cmd.Parameters["@ID"].Value = i;
    cmd.Parameters["@Name"].Value = i.ToString();

    cmd.ExecuteNonQuery();
}

reference:
http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php
http://stackoverflow.com/questions/8218867/c-sharp-sql-insert-command