sql 防注入插入

 1  var strsql = "insert into Staff_Answer (ExamTitleID,QuestionsID,MultipleChoice,RightOption,AnswerOption,IsRight,Score,StaffScore,Remark,State,Creator,CreatOrg,CreateTime) values"; 2             strsql += "(@ExamTitleID,@QuestionsID,@MultipleChoice,@RightOption,@AnswerOption,@IsRight,@Score,@StaffScore,@Remark,@State,@Creator,@CreatOrg,@CreateTime)"; 3             var cmd = new SqlCommand(strsql); 4             var param = new SqlParameter[] {  5                                                 new SqlParameter("@ExamTitleID",SqlDbType.UniqueIdentifier), 6                                                 new SqlParameter("@QuestionsID",SqlDbType.UniqueIdentifier), 7                                                 new SqlParameter("@MultipleChoice",SqlDbType.NVarChar,2), 8                                                 new SqlParameter("@RightOption",SqlDbType.NVarChar,200), 9                                                 new SqlParameter("@AnswerOption",SqlDbType.NVarChar,200),10                                                 new SqlParameter("@IsRight",SqlDbType.NVarChar,2),11                                                 new SqlParameter("@Score",SqlDbType.Decimal,18),12                                                 new SqlParameter("@StaffScore",SqlDbType.Decimal,18),13                                                 new SqlParameter("@Remark",SqlDbType.Text),14                                                 new SqlParameter("@State",SqlDbType.NVarChar,2),15                                                 new SqlParameter("@Creator",SqlDbType.NVarChar,200),16                                                 new SqlParameter("@CreatOrg",SqlDbType.NVarChar,200),17                                                 new SqlParameter("@CreateTime",SqlDbType.NVarChar,200)18                                             };19 20 21             param[0].Value = new Guid(this.ExamTitleCode.Value);22             param[1].Value = new Guid(QuestionsID);23             param[2].Value = Anserdt.Rows[0]["MultipleChoice"].ToString();24             param[3].Value = RightOption;25             param[4].Value = AnswerOption;26             param[5].Value = ISRight ? "1" : "0";27             param[6].Value = Convert.ToInt32(Question.Rows[0]["Score"]);28             param[7].Value = ISRight ? Convert.ToInt32(Question.Rows[0]["Score"]) : 0;29             param[8].Value = this.Remark.InnerText;30             param[9].Value = "1";31             param[10].Value = userid;32             param[11].Value = Orgname1;33             param[12].Value = DateTime.Now;34 35             foreach (SqlParameter para in param)36             {37                 cmd.Parameters.Add(para);38             }39            helps.GetExecuteNonQueryBySqlPa(cmd);40         }

感谢同事给我提供的内容