string _sql = "select * from " + db.tName + " INNER JOIN xiangzi ON huanbao.id = xiangzi.tid where tidanhao = '" + System.Web.HttpUtility.HtmlEncode(skey) + "' or xianghao = '" + System.Web.HttpUtility.HtmlEncode(skey) + "'";