防止SQL注入的参数传值

   GetDb_ZY zy = newGetDb_ZY();
               SqlConnection conn = newSqlConnection(ConfigurationManager.ConnectionStrings["CPWP-ZY-ConnectionString"].ToString());
               SqlCommand cmd = new SqlCommand();
               cmd.Parameters.Add(new SqlParameter("@CName ", SqlDbType.VarChar,300));
               cmd.Parameters["@CName "].Value =No;
               cmd.CommandText = "select 企业中文名称 from 企业中英文对照表 where 企业英文名称=@CName";
               cmd.Connection = conn;
               conn.Open();
               SqlDataReader sd = cmd.ExecuteReader();

               if (sd.Read())
               {
                   No = sd[0].ToString();

                   string str1 = "select * from CH_联络资料 where 企业中文名称 like '%" + No +"%'";
                   GetDb_GNZX gn = new GetDb_GNZX();
                   DataTable dt = gn.GetTableData(str1, "str1");

                   ASPxGridView1.DataSource = dt;
                   ASPxGridView1.DataBind();

                   string str2 = "SELECT * FROM 国内订单表 where (企业名称 like '%" + No +"%'  or 提供名称 like '%" + No + "%') and完成情况<>'已取消'";
                  
                   DataTable dt2 = zy.GetTableData(str2, "str2");
                   ASPxGridView2.DataSource = dt2;
                   ASPxGridView2.DataBind();
                   conn.Close();
               }