string strSql = string.Format(@"Select * from tb1 where UserName={0}", username);不能防止Sql注入,但是比拼接字符串节约内存,简洁直观