C USES sql statements with like to prevent sql injection

This article gives an example of what to do if you encounter Like when splicing sql statements.

Generally, when using SQL statement with like for simple concatenation of strings, it is necessary to meet the situation of sql injection. This is really a problem to pay attention to.

Here combined with 1 some of the information to do a preliminary sorting.

1 sql statement as follows:

select * from game where gamename like '% zhang 3%'

In c# :

string keywords = " zhang 3";
StringBuilder strSql=new StringBuilder();
strSql.Append("select * from game where gamename like @keywords");

SqlParameter[] parameters=new SqlParameter[]
{
 new SqlParameter("@keywords","%"+keywords+"%"), 
};

Although it is still written in %, it is simple and practical to filter sql injection effectively.

I believe that this article is a reference for you to build a more secure C# database program.