高分求解!

高分求解!十万火急！

C# code

CommentID = Request.Form["ID"];            content = Request.Form["txtcontent"];            title = Request.Form["title"];            string strSQL = "";            strSQL = "update  tablename set content='" + content + "',title='" + title + "'where ID=" + CommentID;                Common.SqlHelper.ExecuteSql(Common.SqlHelper.YCSqlServer, strSQL);

Request.Form["TEXTAREA2"]里的值为<img src='http://images.qwsy.com/images/faces/005.gif' border='0' />
所以在执行sql语句的时候肯定会出语法错误
求解决方案！


------解决方案--------------------------------------------------------
strSQL = "update tablename set content='" + content.Replace("'","''") + "',title='" + title.Replace("'","''") + "'where ID=" + CommentID;
------解决方案--------------------------------------------------------
最好的方法是参数化
strSQL = "update tablename set content=@content,title=@title Where ID=@ID"
cmd.Parameters.AddWithValue("@content",content);
cmd.Parameters.AddWithValue("@title ",title );
cmd.Parameters.AddWithValue("@ID",CommentID );
cmd.ExecuteNonQuery()

------解决方案--------------------------------------------------------

探讨

最好的方法是参数化
strSQL = "update tablename set content=@content,title=@title Where ID=@ID"
cmd.Parameters.AddWithValue("@content",content);
cmd.Parameters.AddWithValue("@title ",title );
cmd.Parameters.……

------解决方案--------------------------------------------------------
Request.Form["TEXTAREA2"]里的值为<img src='http://images.qwsy.com/images/faces/005.gif' border='0' />
你要的是这个值吗 还是?
------解决方案--------------------------------------------------------

探讨

最好的方法是参数化
strSQL = "update tablename set content=@content,title=@title Where ID=@ID"
cmd.Parameters.AddWithValue("@content",content);
cmd.Parameters.AddWithValue("@title ",title );
cmd.Parameters.……

------解决方案--------------------------------------------------------
参数化。。你这样还容易被sql注入