一般防止SQL injection的程式寫法

//一般防止SQL injection的程式寫法
Sub GetAuthors_Click(Sender As Object, E As EventArgs)

Dim DS As DataSet
Dim MyConnection As SqlConnection
Dim MyCommand As SqlDataAdapter

Dim SelectCommand As String = "select * from Authors where state = @State"

MyConnection = New SqlConnection("server=(local)\NetSDK;database=pubs;Trusted_Connection=yes")
MyCommand = New SqlDataAdapter(SelectCommand, MyConnection)

MyCommand.SelectCommand.Parameters.Add(New SqlParameter("@State", SqlDbType.NVarChar, 2))
MyCommand.SelectCommand.Parameters("@State").Value = MySelect.Value

DS = new DataSet()
MyCommand.Fill(DS, "Authors")

MyDataGrid.DataSource=DS.Tables("Authors").DefaultView
MyDataGrid.DataBind()
End Sub