I'm making an C# windows Form Application in visual studio 2010.

我正在 Visual Studio 2010 中制作 C# windows 窗体应用程序。

That application is connecting to an mysql database, and I want to insert data in it.

该应用程序正在连接到 mysql 数据库，我想在其中插入数据。

Now do I have this part of code:

现在我有这部分代码：

MySqlConnection connection;
string cs = @"server=server ip;userid=username;password=userpass;database=databse";
connection = new MySqlConnection(cs);
connection.Open();

MySqlCommand command = new MySqlCommand();
string SQL = "INSERT INTO `twMCUserDB` (`mc_userName`, `mc_userPass`, `tw_userName`, `tw_userPass`) VALUES ('@mcUserName', '@mcUserPass', '@twUserName', '@twUserPass')";
command.CommandText = SQL;
command.Parameters.Add("@mcUserName", mcUserNameNew);
command.Parameters.Add("@mcUserPass", mcUserPassNew);
command.Parameters.Add("@twUserName", twUserNameNew);
command.Parameters.Add("@twUserPass", twUserPassNew);
command.Connection = connection;
command.ExecuteNonQuery();
connection.Close();

The connection is fine. That works.

连接很好。那个有效。

I readed herethat the way that I have now, is an save way to do query's. Is that still right?

我在这里读到，我现在拥有的方式是一种进行查询的保存方式。还是这样吗？

And now to the real question. With that code above, I get the following warning in visual studio:

现在是真正的问题。使用上面的代码，我在 Visual Studio 中收到以下警告：

'MySql.Data.MySqlClient.MySqlParameterCollection.Add(string, object)' is obsolete: '"Add(String parameterName, Object value) has been deprecated.  Use AddWithValue(String parameterName, Object value)"'

That warning is for every parameters.add

该警告适用于每个 parameters.add

And it isn't even working, because the values that are inserted are @mcUserName, @mcUserPass and so on, instead of the values that the variables mcUserNameNew and so on are holding...

它甚至不起作用，因为插入的值是@mcUserName、@mcUserPass 等，而不是变量 mcUserNameNew 等保存的值......

So my question is, am I doing something wrong, and what is the new way to sql injection save do an query?

所以我的问题是，我做错了什么，sql注入保存的新方法是什么？