The @CustID means it's a parameter that you will supply a value for later in your code. This is the best way of protecting against SQL injection. Create your query using parameters, rather than concatenating strings and variables. The database engine puts the parameter value into where the placeholder is, and there is zero chance for SQL injection.

@CustID 意味着它是一个参数，您将在稍后的代码中提供一个值。这是防止 SQL 注入的最佳方法。使用参数创建查询，而不是连接字符串和变量。数据库引擎把参数值放到占位符所在的位置，SQL注入的可能性为零。

@ is used as a prefix denoting stored procedure and function parameter names, and also variable names

@ 用作前缀，表示存储过程和函数参数名称，以及变量名称

You may be used to MySQL's syntax: Microsoft SQL @is the same as the MySQL's ?

您可能已经习惯了 MySQL 的语法：Microsoft SQL 与 MySQL 的语法@相同?

Its a parameter the you need to define. to prevent SQL Injection you should pass all your variables in as parameters.

它是您需要定义的参数。为了防止 SQL 注入，您应该将所有变量作为参数传递。

What you are talking about is the way a parameterized query is written. '@' just signifies that it is a parameter. You can add the value for that parameter during execution process

您正在谈论的是编写参数化查询的方式。'@' 只是表示它是一个参数。您可以在执行过程中为该参数添加值

eg:
sqlcommand cmd = new sqlcommand(query,connection);
cmd.parameters.add("@custid","1");
sqldatareader dr = cmd.executequery();

publish data where stoloc = 'AB143' 
|
[select prtnum where stoloc = @stoloc]

This is how the @works.

这就是@工作原理。

@followed by a number is the parameters in the order they're listed in a function.

@后跟一个数字是参数在函数中列出的顺序。