diff --git a/BaseDAO.h b/BaseDAO.h
new file mode 100644
index 0000000..7859cb9
--- /dev/null
+++ b/BaseDAO.h
@@ -0,0 +1,23 @@
+/*
+* 数据库操作基础接口
+*/
+#ifndef BASE_DAO_H
+#define BASE_DAO_H
+
+#import "c:\\Program Files\\Common Files\\System\\ado\\msado15.dll" no_namespace rename("EOF", "EndOfFile")
+
+#include<iostream>
+#include<string>
+#include<vector>
+using namespace std;
+
+/*
+* 对参数化sql语句进行参数填充并执行
+* @param connection 数据库连接
+* @param sql 待填充和执行的sql语句
+* @param v 要填充的参数（无参数则传入NULL）
+* @return _RecordsetPtr 返回记录集指针
+*/
+_RecordsetPtr executeSql(_ConnectionPtr connection, const char* sql, vector<string>* v);
+
+#endif // !BASE_DAO_H
\ No newline at end of file
diff --git a/BaseDAOImpl.cpp b/BaseDAOImpl.cpp
new file mode 100644
index 0000000..14209b4
--- /dev/null
+++ b/BaseDAOImpl.cpp
@@ -0,0 +1,22 @@
+/*
+* 数据库操作基础接口实现
+*/
+#include"BaseDAO.h"
+
+_RecordsetPtr executeSql(_ConnectionPtr connection, const char* sql, vector<string>* v) {
+	if (v == NULL) {
+		return connection->Execute(sql, NULL, (long)0);
+	}
+
+	_CommandPtr command(__uuidof(Command));
+	command->ActiveConnection = connection;
+	command->CommandText = sql;
+	command->CommandType = adCmdText;
+	size_t size = v->size();
+	for (size_t i = 0; i < size; i++)
+	{
+		_ParameterPtr p = command->CreateParameter("var" + i, adBSTR, adParamInput, sizeof((*v)[i].c_str()), (*v)[i].c_str());
+		command->Parameters->Append(p);
+	}
+	return command->Execute(NULL, NULL, long(0));
+}
\ No newline at end of file
diff --git a/CourseDAO.h b/CourseDAO.h
index c05de6a..2094528 100644
--- a/CourseDAO.h
+++ b/CourseDAO.h
@@ -9,6 +9,7 @@
 #include<iostream>
 #include<vector>
 #include"Course.h"
+#include"BaseDAO.h"
 
 /*
 * 向数据库添加课程
diff --git a/CourseDAOImpl.cpp b/CourseDAOImpl.cpp
index a84604f..326485d 100644
--- a/CourseDAOImpl.cpp
+++ b/CourseDAOImpl.cpp
@@ -1,27 +1,44 @@
+/*
+* 课程表数据库操作接口实现
+*/
 #include"CourseDAO.h"
 
 void addCourse(_ConnectionPtr connection, Course course) {
-	string sql = "insert into course values('" + course.getId() + "'," +
-		"'" + course.getName() + "')";
+	string sql = "insert into course values(?,?)";
 
-	connection->Execute(sql.c_str(), NULL, (long)0);
+	vector<string>* v = new vector<string>();
+	v->push_back(course.getId());
+	v->push_back(course.getName());
+
+	executeSql(connection, sql.c_str(), v);
 }
 
 void deleteCourse(_ConnectionPtr connection, string id) {
-	string sql = "delete from course where id = '" + id + "'";
+	string sql = "delete from course where id = ?";
 
-	connection->Execute(sql.c_str(), NULL, (long)0);
+	vector<string>* v = new vector<string>();
+	v->push_back(id);
+
+	executeSql(connection, sql.c_str(), v);
 }
 
 void updateCourseName(_ConnectionPtr connection, string id, string name) {
-	string sql = "update course set name = '" + name + "\' where id = \'" + id + "'";
+	string sql = "update course set name = ? where id = ?";
 
-	connection->Execute(sql.c_str(), NULL, (long)0);
+	vector<string>* v = new vector<string>();
+	v->push_back(name);
+	v->push_back(id);
+
+	executeSql(connection, sql.c_str(), v);
 }
 
 Course* getCourseById(_ConnectionPtr connection, string id) {
-	string sql = "select * from course where id = '" + id + "'";
-	_RecordsetPtr record = connection->Execute(sql.c_str(), NULL, (long)0);
+	string sql = "select * from course where id = ?";
+	
+	vector<string>* v = new vector<string>();
+	v->push_back(id);
+	
+	_RecordsetPtr record = executeSql(connection, sql.c_str(), v);
 	if (record->BOF == -1) return NULL;//记录集为空
 
 	Course* course = new Course();
@@ -31,8 +48,12 @@ Course* getCourseById(_ConnectionPtr connection, string id) {
 }
 
 Course* getCourseByName(_ConnectionPtr connection, string name) {
-	string sql = "select * from course where name = '" + name + "'";
-	_RecordsetPtr record = connection->Execute(sql.c_str(), NULL, (long)0);
+	string sql = "select * from course where name = ?";
+
+	vector<string>* v = new vector<string>();
+	v->push_back(name);
+
+	_RecordsetPtr record = executeSql(connection, sql.c_str(), v);
 	if (record->BOF == -1) return NULL;//记录集为空
 
 	Course* course = new Course();
@@ -43,7 +64,7 @@ Course* getCourseByName(_ConnectionPtr connection, string name) {
 
 std::vector<Course>* getAllCourse(_ConnectionPtr connection) {
 	string sql = "select * from course";
-	_RecordsetPtr record = connection->Execute(sql.c_str(), NULL, (long)0);
+	_RecordsetPtr record = executeSql(connection, sql.c_str(), NULL);
 	if (record->BOF == -1) return NULL;//记录集为空
 
 	std::vector<Course>* v = new std::vector<Course>();
diff --git a/DBCUtils.cpp b/DBCUtils.cpp
index e33de1f..8570b4d 100644
--- a/DBCUtils.cpp
+++ b/DBCUtils.cpp
@@ -1,3 +1,6 @@
+/*
+* 数据库连接工具函数接口实现
+*/
 #include"DBCUtils.h"
 
 bool getConnection(std::string& pwd, _ConnectionPtr& connection) {
diff --git a/GradeDAO.h b/GradeDAO.h
index d775756..2839ac9 100644
--- a/GradeDAO.h
+++ b/GradeDAO.h
@@ -9,6 +9,7 @@
 #include<iostream>
 #include<vector>
 #include"Grade.h"
+#include"BaseDAO.h"
 
 /*
 * 向数据库添加成绩
diff --git a/GradeDAOImpl.cpp b/GradeDAOImpl.cpp
index de10edb..9146d58 100644
--- a/GradeDAOImpl.cpp
+++ b/GradeDAOImpl.cpp
@@ -1,40 +1,66 @@
+/*
+* 成绩表数据库操作接口实现
+*/
 #include"GradeDAO.h"
 
 void addGrade(_ConnectionPtr connection, Grade grade) {
-	string sql = "insert into grade values('" + grade.getStuId() + "'," +
-		"'" + grade.getCourseId() + "'," +
-		"'" + grade.getGradeStr() + "')";
+	string sql = "insert into grade values(?,?,?)";
 
-	connection->Execute(sql.c_str(), NULL, (long)0);
+	vector<string>* v = new vector<string>();
+	v->push_back(grade.getStuId());
+	v->push_back(grade.getCourseId());
+	v->push_back(grade.getGradeStr());
+
+	executeSql(connection, sql.c_str(), v);
 }
 
 void deleteOnesGrade(_ConnectionPtr connection, string stuId, string courseId) {
-	string sql = "delete from grade where stuId = '" + stuId + "\' and courseId = \'" + courseId + "'";
+	string sql = "delete from grade where stuId = ? and courseId = ?";
 
-	connection->Execute(sql.c_str(), NULL, (long)0);
+	vector<string>* v = new vector<string>();
+	v->push_back(stuId);
+	v->push_back(courseId);
+
+	executeSql(connection, sql.c_str(), v);
 }
 
 void deleteGradeByStuId(_ConnectionPtr connection, string stuId) {
-	string sql = "delete from grade where stuId = '" + stuId + "'";
+	string sql = "delete from grade where stuId = ?";
 
-	connection->Execute(sql.c_str(), NULL, (long)0);
+	vector<string>* v = new vector<string>();
+	v->push_back(stuId);
+
+	executeSql(connection, sql.c_str(), v);
 }
 
 void deleteGradeByCourseId(_ConnectionPtr connection, string courseId) {
-	string sql = "delete from grade where courseId = '" + courseId + "'";
+	string sql = "delete from grade where courseId = ?";
 
-	connection->Execute(sql.c_str(), NULL, (long)0);
+	vector<string>* v = new vector<string>();
+	v->push_back(courseId);
+
+	executeSql(connection, sql.c_str(), v);
 }
 
 void updateOnesGrade(_ConnectionPtr connection, string stuId, string courseId, string grade) {
-	string sql = "update grade set grade = " + grade + " where stuId = '" + stuId + "\' and courseId = \'" + courseId + "'";
+	string sql = "update grade set grade = ? where stuId = ? and courseId = ?";
 
-	connection->Execute(sql.c_str(), NULL, (long)0);
+	vector<string>* v = new vector<string>();
+	v->push_back(grade);
+	v->push_back(stuId);
+	v->push_back(courseId);
+
+	executeSql(connection, sql.c_str(), v);
 }
 
 Grade* getOnesGrade(_ConnectionPtr connection, string stuId,string courseId) {
-	string sql = "select * from grade where stuId = '" + stuId + "\' and courseId = \'" + courseId + "'";
-	_RecordsetPtr record = connection->Execute(sql.c_str(), NULL, (long)0);
+	string sql = "select * from grade where stuId = ? and courseId = ?";
+
+	vector<string>* v = new vector<string>();
+	v->push_back(stuId);
+	v->push_back(courseId);
+
+	_RecordsetPtr record = executeSql(connection, sql.c_str(), v);
 	if (record->BOF == -1) return NULL;//记录集为空
 
 	Grade* grade = new Grade();
@@ -45,59 +71,72 @@ Grade* getOnesGrade(_ConnectionPtr connection, string stuId,string courseId) {
 }
 
 std::vector<Grade>* getGradeByStuId(_ConnectionPtr connection, string stuId) {
-	string sql = "select * from grade where stuId = '" + stuId + "'";
-	_RecordsetPtr record = connection->Execute(sql.c_str(), NULL, (long)0);
+	string sql = "select * from grade where stuId = ?";
+
+	vector<string>* v = new vector<string>();
+	v->push_back(stuId);
+
+	_RecordsetPtr record = executeSql(connection, sql.c_str(), v);
 	if (record->BOF == -1) return NULL;//记录集为空
 
-	std::vector<Grade>* v = new std::vector<Grade>();
+	std::vector<Grade>* vg = new std::vector<Grade>();
 	Grade* grade;
 	for (; !record->EndOfFile; record->MoveNext()) {
 		grade = new Grade();
 		grade->setStuId((char*)(_bstr_t)record->Fields->GetItem("stuId")->Value);
 		grade->setCourseId((char*)(_bstr_t)record->Fields->GetItem("courseId")->Value);
 		grade->setGrade((char*)(_bstr_t)record->Fields->GetItem("grade")->Value);
-		v->push_back(*grade);
+		vg->push_back(*grade);
 	}
-	return v;
+	return vg;
 }
 
 std::vector<Grade>* getGradeByCourseId(_ConnectionPtr connection, string courseId) {
-	string sql = "select * from grade where courseId = '" + courseId + "'";
-	_RecordsetPtr record = connection->Execute(sql.c_str(), NULL, (long)0);
+	string sql = "select * from grade where courseId = ?";
+
+	vector<string>* v = new vector<string>();
+	v->push_back(courseId);
+
+	_RecordsetPtr record = executeSql(connection, sql.c_str(), v);
 	if (record->BOF == -1) return NULL;//记录集为空
 
-	std::vector<Grade>* v = new std::vector<Grade>();
+	std::vector<Grade>* vg = new std::vector<Grade>();
 	Grade* grade;
 	for (; !record->EndOfFile; record->MoveNext()) {
 		grade = new Grade();
 		grade->setStuId((char*)(_bstr_t)record->Fields->GetItem("stuId")->Value);
 		grade->setCourseId((char*)(_bstr_t)record->Fields->GetItem("courseId")->Value);
 		grade->setGrade((char*)(_bstr_t)record->Fields->GetItem("grade")->Value);
-		v->push_back(*grade);
+		vg->push_back(*grade);
 	}
-	return v;
+	return vg;
 }
 
 std::vector<Grade>* getGradeByStuClass(_ConnectionPtr connection, string stuClass) {
-	string sql = "select * from grade where stuId in(select id from student where stuClass = '" + stuClass + "')";
-	_RecordsetPtr record = connection->Execute(sql.c_str(), NULL, (long)0);
+	string sql = "select * from grade where stuId in (select id from student where stuClass = ?)";
+	
+	vector<string>* v = new vector<string>();
+	v->push_back(stuClass);
+
+	_RecordsetPtr record = executeSql(connection, sql.c_str(), v);
 	if (record->BOF == -1) return NULL;//记录集为空
 
-	std::vector<Grade>* v = new std::vector<Grade>();
+	std::vector<Grade>* vg = new std::vector<Grade>();
 	Grade* grade;
 	for (; !record->EndOfFile; record->MoveNext()) {
 		grade = new Grade();
 		grade->setStuId((char*)(_bstr_t)record->Fields->GetItem("stuId")->Value);
 		grade->setCourseId((char*)(_bstr_t)record->Fields->GetItem("courseId")->Value);
 		grade->setGrade((char*)(_bstr_t)record->Fields->GetItem("grade")->Value);
-		v->push_back(*grade);
+		vg->push_back(*grade);
 	}
-	return v;
+	return vg;
 }
 
 std::vector<Grade>* getAllGrade(_ConnectionPtr connection) {
 	string sql = "select * from grade";
-	_RecordsetPtr record = connection->Execute(sql.c_str(), NULL, (long)0);
+
+	_RecordsetPtr record = executeSql(connection, sql.c_str(), NULL);
 	if (record->BOF == -1) return NULL;//记录集为空
 
 	std::vector<Grade>* v = new std::vector<Grade>();
@@ -113,8 +152,12 @@ std::vector<Grade>* getAllGrade(_ConnectionPtr connection) {
 }
 
 double getOnesAvgGrade(_ConnectionPtr connection, string stuId) {
-	string sql = "select count(*) cnt,sum(grade) all_grade from grade where stuId = '" + stuId + "'";
-	_RecordsetPtr record = connection->Execute(sql.c_str(), NULL, (long)0);
+	string sql = "select count(*) cnt,sum(grade) all_grade from grade where stuId = ?";
+	
+	vector<string>* v = new vector<string>();
+	v->push_back(stuId);
+
+	_RecordsetPtr record = executeSql(connection, sql.c_str(), v);
 	if (record->BOF == -1) return NULL;//记录集为空
 
 	int cnt = atoi((char*)(_bstr_t)record->Fields->GetItem("cnt")->Value);
@@ -123,35 +166,51 @@ double getOnesAvgGrade(_ConnectionPtr connection, string stuId) {
 }
 
 double getOnesAllGrade(_ConnectionPtr connection, string stuId) {
-	string sql = "select sum(grade) all_grade from grade where stuId = '" + stuId + "'";
-	_RecordsetPtr record = connection->Execute(sql.c_str(), NULL, (long)0);
+	string sql = "select sum(grade) all_grade from grade where stuId = ?";
+	
+	vector<string>* v = new vector<string>();
+	v->push_back(stuId);
+
+	_RecordsetPtr record = executeSql(connection, sql.c_str(), v);
 	if (record->BOF == -1) return NULL;//记录集为空
 
 	return atof((char*)(_bstr_t)record->Fields->GetItem("all_grade")->Value);
 }
 
 double getClassAvgGrade(_ConnectionPtr connection, string stuClass, string courseName) {
-	string sql = "select avg(grade) avg_grade from grade where stuId in (select id from student where stuClass = '" + stuClass + "') ";
-	sql += "and courseId in (select id from course where name = '" + courseName + "')";
-	_RecordsetPtr record = connection->Execute(sql.c_str(), NULL, (long)0);
+	string sql = "select avg(grade) avg_grade from grade where stuId in (select id from student where stuClass = ?) and courseId in (select id from course where name = ?)";
+	
+	vector<string>* v = new vector<string>();
+	v->push_back(stuClass);
+	v->push_back(courseName);
+
+	_RecordsetPtr record = executeSql(connection, sql.c_str(), v);
 	if (record->BOF == -1) return NULL;//记录集为空
 
 	return atof((char*)(_bstr_t)record->Fields->GetItem("avg_grade")->Value);
 }
 
 double getClassMaxGrade(_ConnectionPtr connection, string stuClass, string courseName) {
-	string sql = "select max(grade) max_grade from grade where stuId in (select id from student where stuClass = '" + stuClass + "') ";
-	sql += "and courseId in (select id from course where name = '" + courseName + "')";
-	_RecordsetPtr record = connection->Execute(sql.c_str(), NULL, (long)0);
+	string sql = "select max(grade) max_grade from grade where stuId in (select id from student where stuClass = ?) and courseId in (select id from course where name = ?)";
+	
+	vector<string>* v = new vector<string>();
+	v->push_back(stuClass);
+	v->push_back(courseName);
+
+	_RecordsetPtr record = executeSql(connection, sql.c_str(), v);
 	if (record->BOF == -1) return NULL;//记录集为空
 
 	return atof((char*)(_bstr_t)record->Fields->GetItem("max_grade")->Value);
 }
 
 double getClassMinGrade(_ConnectionPtr connection, string stuClass, string courseName) {
-	string sql = "select min(grade) min_grade from grade where stuId in (select id from student where stuClass = '" + stuClass + "') ";
-	sql += "and courseId in (select id from course where name = '" + courseName + "')";
-	_RecordsetPtr record = connection->Execute(sql.c_str(), NULL, (long)0);
+	string sql = "select min(grade) min_grade from grade where stuId in (select id from student where stuClass = ?) and courseId in (select id from course where name = ?)";
+	
+	vector<string>* v = new vector<string>();
+	v->push_back(stuClass);
+	v->push_back(courseName);
+
+	_RecordsetPtr record = executeSql(connection, sql.c_str(), v);
 	if (record->BOF == -1) return NULL;//记录集为空
 
 	return atof((char*)(_bstr_t)record->Fields->GetItem("min_grade")->Value);
diff --git a/Menu.cpp b/Menu.cpp
index 99943d0..e7b8ef3 100644
--- a/Menu.cpp
+++ b/Menu.cpp
@@ -1,3 +1,6 @@
+/*
+* 菜单接口实现
+*/
 #include"Menu.h"
 
 void mainMenu(_ConnectionPtr connection) {
diff --git a/Menu.h b/Menu.h
index 94442ca..a0bd176 100644
--- a/Menu.h
+++ b/Menu.h
@@ -12,9 +12,6 @@
 #include<direct.h>
 #include<io.h>
 
-#include"Student.cpp"
-#include"Course.cpp"
-#include"Grade.cpp"
 #include"DBCUtils.h"
 #include"MenuUtils.h"
 #include"StringUtils.h"
diff --git a/MenuUtils.cpp b/MenuUtils.cpp
index 2f4d074..55607d5 100644
--- a/MenuUtils.cpp
+++ b/MenuUtils.cpp
@@ -1,3 +1,6 @@
+/*
+* 菜单工具接口实现
+*/
 #include"MenuUtils.h"
 
 void checkOptInput(int& opt, int low, int high) {
diff --git a/SAS.vcxproj b/SAS.vcxproj
index 542136c..3d9498f 100644
--- a/SAS.vcxproj
+++ b/SAS.vcxproj
@@ -127,6 +127,7 @@
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>
+    <ClCompile Include="BaseDAOImpl.cpp" />
     <ClCompile Include="CourseDAOImpl.cpp" />
     <ClCompile Include="DBCUtils.cpp" />
     <ClCompile Include="GradeDAOImpl.cpp" />
@@ -137,6 +138,7 @@
     <ClCompile Include="StudentDAOImpl.cpp" />
   </ItemGroup>
   <ItemGroup>
+    <ClInclude Include="BaseDAO.h" />
     <ClInclude Include="Course.h" />
     <ClInclude Include="CourseDAO.h" />
     <ClInclude Include="DBCUtils.h" />
diff --git a/SAS.vcxproj.filters b/SAS.vcxproj.filters
index ad61ddc..ea64dd0 100644
--- a/SAS.vcxproj.filters
+++ b/SAS.vcxproj.filters
@@ -39,6 +39,9 @@
     <ClCompile Include="StringUtils.cpp">
       <Filter>婧愭枃浠�</Filter>
     </ClCompile>
+    <ClCompile Include="BaseDAOImpl.cpp">
+      <Filter>婧愭枃浠�</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="DBCUtils.h">
@@ -71,5 +74,8 @@
     <ClInclude Include="Grade.h">
       <Filter>澶存枃浠�</Filter>
     </ClInclude>
+    <ClInclude Include="BaseDAO.h">
+      <Filter>澶存枃浠�</Filter>
+    </ClInclude>
   </ItemGroup>
 </Project>
\ No newline at end of file
diff --git a/StringUtils.cpp b/StringUtils.cpp
index 9a764b5..883adbe 100644
--- a/StringUtils.cpp
+++ b/StringUtils.cpp
@@ -1,3 +1,6 @@
+/*
+* 字符串工具接口实现
+*/
 #include"StringUtils.h"
 
 string doubleToString(double num) {
diff --git a/StringUtils.h b/StringUtils.h
index d090c7f..8cd39eb 100644
--- a/StringUtils.h
+++ b/StringUtils.h
@@ -1,3 +1,6 @@
+/*
+* 字符串工具接口
+*/
 #ifndef STRING_UTILS_H
 #define STRING_UTILS_H
 #define _CRT_SECURE_NO_WARNINGS
diff --git a/StudentDAO.h b/StudentDAO.h
index 1fbee6b..ed4bb74 100644
--- a/StudentDAO.h
+++ b/StudentDAO.h
@@ -9,6 +9,7 @@
 #include<iostream>
 #include<vector>
 #include"Student.h"
+#include"BaseDAO.h"
 
 /*
 * 向数据库添加学生
diff --git a/StudentDAOImpl.cpp b/StudentDAOImpl.cpp
index 4a43831..51d5981 100644
--- a/StudentDAOImpl.cpp
+++ b/StudentDAOImpl.cpp
@@ -1,36 +1,57 @@
+/*
+* 学生表数据库操作接口实现
+*/
 #include"StudentDAO.h"
 
 void addStudent(_ConnectionPtr connection, Student student) {
-	string sql = "insert into student values('" + student.getId() + "'," +
-		"'" + student.getName() + "'," +
-		"'" + student.getSex() + "'," +
-		"'" + student.getStuClass() + "'," +
-		"'" + student.getStatus() + "')";
+	string sql = "insert into student values(?,?,?,?,?)";
 
-	connection->Execute(sql.c_str(), NULL, (long)0);
+	vector<string>* v = new vector<string>();
+	v->push_back(student.getId());
+	v->push_back(student.getName());
+	v->push_back(student.getSex());
+	v->push_back(student.getStuClass());
+	v->push_back(student.getStatus());
+
+	executeSql(connection, sql.c_str(), v);
 }
 
 void deleteStudent(_ConnectionPtr connection, string id) {
-	string sql = "delete from student where id = '" + id + "'";
+	string sql = "delete from student where id = ?";
 
-	connection->Execute(sql.c_str(), NULL, (long)0);
+	vector<string>* v = new vector<string>();
+	v->push_back(id);
+
+	executeSql(connection, sql.c_str(), v);
 }
 
 void updateStudentClass(_ConnectionPtr connection, string id, string stuClass) {
-	string sql = "update student set stuClass = '" + stuClass + "\' where id = \'" + id + "'";
+	string sql = "update student set stuClass = ? where id = ?";
 
-	connection->Execute(sql.c_str(), NULL, (long)0);
+	vector<string>* v = new vector<string>();
+	v->push_back(stuClass);
+	v->push_back(id);
+
+	executeSql(connection, sql.c_str(), v);
 }
 
 void updateStudentStatus(_ConnectionPtr connection, string id, string status) {
-	string sql = "update student set status = '" + status + "\' where id = \'" + id + "'";
+	string sql = "update student set status = ? where id = ?'";
 
-	connection->Execute(sql.c_str(), NULL, (long)0);
+	vector<string>* v = new vector<string>();
+	v->push_back(status);
+	v->push_back(id);
+
+	executeSql(connection, sql.c_str(), v);
 }
 
 Student* getStudentById(_ConnectionPtr connection, string id) {
-	string sql = "select * from student where id = '" + id + "'";
-	_RecordsetPtr record = connection->Execute(sql.c_str(), NULL, (long)0);
+	string sql = "select * from student where id = ?";
+
+	vector<string>* v = new vector<string>();
+	v->push_back(id);
+
+	_RecordsetPtr record = executeSql(connection, sql.c_str(), v);
 	if (record->BOF == -1) return NULL;//记录集为空
 
 	Student *student = new Student();
@@ -43,11 +64,15 @@ Student* getStudentById(_ConnectionPtr connection, string id) {
 }
 
 std::vector<Student>* getStudentByName(_ConnectionPtr connection, string name) {
-	string sql = "select * from student where name = '" + name + "'";
-	_RecordsetPtr record = connection->Execute(sql.c_str(), NULL, (long)0);
+	string sql = "select * from student where name = ?";
+	
+	vector<string>* v = new vector<string>();
+	v->push_back(name);
+
+	_RecordsetPtr record = executeSql(connection, sql.c_str(), v);
 	if (record->BOF == -1) return NULL;//记录集为空
 
-	std::vector<Student> *v = new std::vector<Student>();
+	std::vector<Student> *vs = new std::vector<Student>();
 	Student* student;
 	for (; !record->EndOfFile; record->MoveNext()) {
 		student = new Student();
@@ -56,14 +81,15 @@ std::vector<Student>* getStudentByName(_ConnectionPtr connection, string name) {
 		student->setSex((char*)(_bstr_t)record->Fields->GetItem("sex")->Value);
 		student->setStuClass((char*)(_bstr_t)record->Fields->GetItem("stuClass")->Value);
 		student->setStatus((char*)(_bstr_t)record->Fields->GetItem("status")->Value);
-		v->push_back(*student);
+		vs->push_back(*student);
 	}
-	return v;
+	return vs;
 }
 
 std::vector<Student>* getAllStudent(_ConnectionPtr connection) {
 	string sql = "select * from student";
-	_RecordsetPtr record = connection->Execute(sql.c_str(), NULL, (long)0);
+
+	_RecordsetPtr record = executeSql(connection, sql.c_str(), NULL);
 	if (record->BOF == -1) return NULL;//记录集为空
 
 	std::vector<Student>* v = new std::vector<Student>();
diff --git a/v2.sql b/v2.sql
new file mode 100644
index 0000000..85033c5
--- /dev/null
+++ b/v2.sql
@@ -0,0 +1,57 @@
+create database stuAdminSystem;
+
+use stuAdminSystem;
+
+create table student(
+	id nvarchar(10) primary key,
+	name nvarchar(15) not null,
+	sex nvarchar(5) not null,
+	stuClass nvarchar(20) not null,
+	status nvarchar(10) not null
+);
+
+create table course(
+	id nvarchar(10) primary key,
+	name nvarchar(50) not null
+);
+
+create table grade(
+	stuId nvarchar(10),
+	courseId nvarchar(10),
+	graded decimal(5,2) not null,
+	primary key(stuId,courseId)
+);
+
+
+
+insert into student 
+values
+('1','张三','男','软件12004','在读'),
+('2','李四','女','软件12004','在读'),
+('3','王五','女','计科12003','在读'),
+('4','赵六','女','物联网12001','在读'),
+('5','李恩情','男','计科12003','在读'),
+('6','魏抵税','男','软件12004','在读'),
+('7','张三','女','计科12003','在读'),
+('8','李六','男','软件12004','在读');
+
+insert into course
+values
+('C001','高数'),
+('C002','大学英语'),
+('C003','线性代数'),
+('C004','大学物理'),
+('C005','C语言'),
+('C006','体育');
+
+insert into grade
+values
+('1','C001',95),
+('1','C002',90),
+('1','C005',97),
+('2','C006',75),
+('2','C001',90),
+('3','C005',76),
+('4','C003',75),
+('5','C001',78),
+('8','C001',98);
\ No newline at end of file