如下例所示，这样做了后再也不担心sql注入了。。。。

 

public static DataTable GetProPriEEfocusNew(string ProName)        {            StringBuilder strSql = new StringBuilder();            strSql.Append("select dbo.GetStock(StockNum) StockNum,X_ProName,X_ProId,Erp_ProName,MOQ,IsPromotions,IsOther from X_Product");            strSql.AppendFormat(" where X_ProName like @ProName and ManId=25 and IsHkStock=0 and IsDeleted=0 and IsOther in (0,3) and IsSell=0 and IsExport=0 and IsShow=0", ProName.Replace("xx", "%").Replace("x", "%"));            SqlParameter[] parameters = {                    new SqlParameter("@ProName", SqlDbType.NVarChar,50)            };            parameters[0].Value = "%" + ProName + "%";            IDataAccess access = DataCenter.GetDbConnection();            return access.DsCommandSql(strSql.ToString(), parameters).Tables[0];        }