strSQL = "SELECT * FROM users WHERE (name = '" + userName + "') and (pw = '"+ passWord +"');"
恶意填入 userName = "1' OR '1'='1";与passWord = "1' OR '1'='1";时,将导致原本的SQL字符串被填为 strSQL = "SELECT * FROM users WHERE (name = '1' OR '1'='1') and (pw = '1' OR '1'='1'); "
也就是实际上运行的SQL命令会变成下面这样的strSQL = "SELECT * FROM users;"