sql 防注入插入

var strsql = "insert into Staff_Answer (ExamTitleID,QuestionsID,MultipleChoice,RightOption,AnswerOption,IsRight,Score,StaffScore,Remark,State,Creator,CreatOrg,CreateTime) values";
strsql += "(@ExamTitleID,@QuestionsID,@MultipleChoice,@RightOption,@AnswerOption,@IsRight,@Score,@StaffScore,@Remark,@State,@Creator,@CreatOrg,@CreateTime)";
var cmd = new SqlCommand(strsql);
var param = new SqlParameter[] {
new SqlParameter("@ExamTitleID",SqlDbType.UniqueIdentifier),
new SqlParameter("@QuestionsID",SqlDbType.UniqueIdentifier),
new SqlParameter("@MultipleChoice",SqlDbType.NVarChar,),
new SqlParameter("@RightOption",SqlDbType.NVarChar,),
new SqlParameter("@AnswerOption",SqlDbType.NVarChar,),
new SqlParameter("@IsRight",SqlDbType.NVarChar,),
new SqlParameter("@Score",SqlDbType.Decimal,),
new SqlParameter("@StaffScore",SqlDbType.Decimal,),
new SqlParameter("@Remark",SqlDbType.Text),
new SqlParameter("@State",SqlDbType.NVarChar,),
new SqlParameter("@Creator",SqlDbType.NVarChar,),
new SqlParameter("@CreatOrg",SqlDbType.NVarChar,),
new SqlParameter("@CreateTime",SqlDbType.NVarChar,)
}; param[].Value = new Guid(this.ExamTitleCode.Value);
param[].Value = new Guid(QuestionsID);
param[].Value = Anserdt.Rows[]["MultipleChoice"].ToString();
param[].Value = RightOption;
param[].Value = AnswerOption;
param[].Value = ISRight ? "" : "";
param[].Value = Convert.ToInt32(Question.Rows[]["Score"]);
param[].Value = ISRight ? Convert.ToInt32(Question.Rows[]["Score"]) : ;
param[].Value = this.Remark.InnerText;
param[].Value = "";
param[].Value = userid;
param[].Value = Orgname1;
param[].Value = DateTime.Now; foreach (SqlParameter para in param)
{
cmd.Parameters.Add(para);
}
helps.GetExecuteNonQueryBySqlPa(cmd);
}