我有以下代码片段,其中我已经进行了参数化查询,因为我在某处读到了这样可以避免SQL注入。但在进行此更改后,我仍然遇到SQL注入漏洞。
StrCmd = "select TdsSubCode from Rate where TdsCode= @cboTdsCode and DSCode= @cboDedStatus"
dsCmd = New SqlCommand(StrCmd, conTdsPac)
dsCmd.CommandType = CommandType.Text
dsCmd.Parameters.AddWithValue("@cboTdsCode", cboTdsCode.Text)
dsCmd.Parameters.AddWithValue("@cboDedStatus", cboDedStatus.Text)
dsCmd.ExecuteReader()