将varchar值转换为数据类型int时转换失败。 [英] Conversion failed when converting the varchar value to data type int.
问题描述
你好,
当我进行SELECT查询时,我想在'WHERE'子句中选择一个条件。那个值必须是varchar,我把一个int值,但问题是当一个runn查询我收到这条消息:
Msg 245,Level 16,State 1,Line 2
将varchar值'Krokodilli'转换为数据类型int时转换失败。
所以,我从来没有在我的查询中键入类似'Krokodilli'的东西,我只是放了一些数字。我不知道SQL在哪里使用'Krokodilli'这个词,而不是像我输入的52488这样的数字。
有谁知道最近发生了什么?
我的尝试:
我没有尝试任何东西。我只是在寻找任何解决方案
Krokodilli这个词并非来自您的查询,而是来自您的数据 - 并且它在你想要比较的专栏中。
我们看不到你的代码 - 或你的数据 - 所以我们无法告诉你到底是什么要解决此问题,但WHERE子句的一部分导致SQL尝试将列转换为整数值并失败。
仔细查看它,并尝试在所需的任何值上加上引号比较或使用CONVERT将参数值更改为NVARCHAR进行比较: CAST和CONVERT(Transact-SQL)| Microsoft Docs [ ^ ]
引用:所以,我从不输入在我的查询中,像'Krokodilli'之类的东西,我只是写了一些数字。我不知道SQL在哪里使用'Krokodilli'这个词,而不是显示我输入的52488这样的数字。
这就是SQL注入的全部内容。您的SQL服务器开始执行您未在查询中键入的某些代码。
永远不要通过连接字符串来构建SQL查询。迟早,您将使用用户输入来执行此操作,这会打开一个名为SQL注入的漏洞,这对您的数据库很容易并且容易出错。
名称中的单引号你的程序崩溃。如果用户输入像Brian O'Conner这样的名称可能会使您的应用程序崩溃,那么这是一个SQL注入漏洞,崩溃是最少的问题,恶意用户输入,并且它被提升为具有所有凭据的SQL命令。
SQL注入 - 维基百科 [ ^ ]
SQL注入 [ ^ ]
按示例进行SQL注入攻击 [ ^ ]
PHP:SQL注入 - 手册 [ ^ ]
SQL注入预防备忘单 - OWASP [ ^ ]
Hi there, When I make a SELECT query, i want to take a row that has a condition in 'WHERE' clause. That value must be varchar, I put an int value, but the problem is when a runn a query I get this message: Msg 245, Level 16, State 1, Line 2 Conversion failed when converting the varchar value 'Krokodilli' to data type int. So, I never type something like 'Krokodilli' in my query, I jut put some numbers. I don't know where SQL takes this word 'Krokodilli', instead of showing some number like 52488 that I type. Anybody knows whats is going on?
What I have tried:
I did not try anything. i am just looking for any sollucions
The word "Krokodilli" doesn't come from your query, it comes from your data - and it's in the column that you are trying to compare.
We can't see your code - or your data - so we can't tell you exactly what to do to fix this, but part of your WHERE clause is causing SQL to try and convert your column to an integer value and failing.
Look closely at it, and try putting quotes around any litteral values you want to compare, or using CONVERT to change parameter values to NVARCHAR for comparison: CAST and CONVERT (Transact-SQL) | Microsoft Docs[^]
Quote:So, I never type something like 'Krokodilli' in my query, I jut put some numbers. I don't know where SQL takes this word 'Krokodilli', instead of showing some number like 52488 that I type.
That is all what SQL injection is about. Your SQL server start to execute some code that you didn't typed in the query.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
这篇关于将varchar值转换为数据类型int时转换失败。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
