登入账号的漏洞：or '1'='1’-有关问题如何解决啊_ASP.NET

登入账号的漏洞：or '1'='1’--问题怎么解决啊？
登入账号：or '1'='1’--问题怎么解决啊？

------解决方案--------------------------------------------------------
用参数化SQL语句，
select count(*) from 用户 where 用户名=@userName and 密码=@password

cmd.Parameters.AddWithValue("@userName",TextBoxUserName.Text.Trim);
cmd.Parameters.AddWidthValue("@password",TextBoxUserPwd.Text.Trim);
if((int)cmd.ExecuteScalar()>0)
登录成功;
else
用户名或密码错;
------解决方案--------------------------------------------------------

C# code

 /// <summary>        /// 用于后台显示登陆后的账户信息        /// </summary>        /// <param name="LoginID"></param>        /// <returns></returns>        public SysAdmin GetModel(string LoginID)        {            SysAdmin sysAdm = null;            StringBuilder strSql = new StringBuilder();            strSql.Append("select  top 1 ID,LoginID,LoginPWD,LoginTime,IPID,State,Types from SysAdmin");            strSql.Append(" where LoginID=@LoginID");            SqlParameter par = new SqlParameter("@LoginID",LoginID);//【参数化】            using (SqlDataReader dr=SqlHelperMain.GetReader(strSql.ToString(),par))            {                if (dr.Read())                {                    sysAdm = new SysAdmin();                    sysAdm.ID = int.Parse(dr[0].ToString());                    sysAdm.LoginID = dr[1].ToString();                    sysAdm.LoginPWD = dr[2].ToString();                    sysAdm.LoginTime = DateTime.Parse(dr[3].ToString());                    sysAdm.IPID = int.Parse(dr[4].ToString());                    sysAdm.State = bool.Parse(dr[5].ToString());                    sysAdm.Types = int.Parse(dr[6].ToString());                }            }            return sysAdm;        }
------解决方案--------------------------------------------------------
[code=C#][/code]
  protected void ibtnLogin_Click(object sender, ImageClickEventArgs e)
   {
       int i = this.checkLogin(txtUserName.Text, txtPassword.Text);
       if (i > 0)
       {
           if (Session["GoogleCode"].ToString().ToUpper() == txtCheckCode.Text.ToUpper().Trim())
           {
               StrHelper.AlertAndRedirect("登录成功！", "Default.aspx");
           }
           else
           {
               StrHelper.AlertAndGoBack("验证码输入有误，请重新输入！");
           }
       }
       else
          {
           StrHelper.Alert("用户名或密码不正确！");
           }
         }
  public int checkLogin(string loginName, string loginPwd)
   {
       string ConnString = ConfigurationSettings.AppSettings["ConnectionString"];
       SqlConnection con = new SqlConnection(ConnString);
       SqlCommand myCommand = new SqlCommand("select count(*) from web_user where     userid=@loginName and password=@loginPwd",con);  
       myCommand.Parameters.Add(new SqlParameter("@loginName", SqlDbType.NVarChar, 20));
       myCommand.Parameters["@loginName"].Value = loginName;
       myCommand.Parameters.Add(new SqlParameter("@loginPwd", SqlDbType.NVarChar, 20));
       myCommand.Parameters["@loginPwd"].Value = loginPwd;
       myCommand.Connection.Open();
       int i = (int)myCommand.ExecuteScalar();
        mycomm.Connection.Close();
       myCommand.Connection.Close();
       return i;
}

------解决方案--------------------------------------------------------
http://www.15ae.com/archive/2011-12/05115956455防SQL注入的一些分享