用sqlcommand参数化查询，怎么把数据写入datatable ?
这是原来的代码，听说会被注入攻击

string sql1 = "select * from article where time="+param+"";
            SqlDataAdapter sda1 = new SqlDataAdapter(sql1, conn);
            DataSet ds1 = new DataSet();
            sda1.Fill(ds1);
            DataTable dt1 = ds1.Tables[0];

于是改成用sqlcommand，请问这个怎么能够写入datatable

SqlCommand sc = new SqlCommand("select * from article where time=@p");
            sc.Connection = conn;
            sc.Parameters.AddWithValue("p","'"+param+"'");

            DataTable dt1 = ds1.Tables[0];

sqlcommand 参数化查询 datatable
[解决办法]
Refer this:
http://www.cnblogs.com/insus/archive/2012/09/22/2698515.html
[解决办法]

  DataSet ds = new DataSet();
            SqlCommand sc = new SqlCommand("select * from article where time=@p");
            sc.Connection = conn;
            sc.Parameters.AddWithValue("@p", "'" + param + "'");
            SqlDataAdapter sda = new SqlDataAdapter(sc);
            sda.Fill(ds);