注入漏洞及参数化查询

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Data.SqlClient;
namespace ADO.NET详解
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("请输入用户名");
            string username = Console.ReadLine();
            Console.WriteLine("请输入密码");
            string password = Console.ReadLine();
            using (SqlConnection conn = new SqlConnection(@"Data Source=.;Database=Database1;user ID=sa;pwd=888888"))//在Sqlconnection,Sqlcommand,SqlDataReader等使用using，可以
            //释放掉所占用的资源，相当于Disposed()方法.
            {
                conn.Open();
                using (SqlCommand cmd = conn.CreateCommand())
                {
                    //下列语句不使用参数化查询，容易造成SQL注入攻击，只要用户输入的密码为1' or '1'='1格式，即可以正常登陆进去
 //cmd.CommandText = "SELECT count(*) from T_Users WHERE UserName='" + username + "' and Password='" + password + "'";
                    //这里使用参数化查询，比较安全
                    cmd.CommandText = "SELECT count(*) from T_Users WHERE UserName=@Username and Password=@Password";
                    cmd.Parameters.Add(new SqlParameter("Username",username));
                    cmd.Parameters.Add(new SqlParameter("Password", password));
                    int i=Convert.ToInt32(cmd.ExecuteScalar());
                    if(i>0)
                    {
                        Console.WriteLine("登录成功");
                    }
                    else
                    {
                        Console.WriteLine("用户名或密码错误");
                    }
 
                    }
                }
                Console.ReadKey();
            }
        }
    }