我的代码有什么问题？它当时还可以 [英] Whats wrong in my codes? Its still ok back then

问题描述

public void del()
  {
      MySqlConnection MyConnection = new MySqlConnection(MyConnectionString);
      MySqlCommand cmd4;
      MySqlDataReader mdr;

      MyConnection.Open();

      string selectQuery = "DELETE FROM `newdoc` where docid =" + int.Parse(delsear.Text);
      cmd4 = new MySqlCommand(selectQuery, MyConnection);

      mdr = cmd4.ExecuteReader();
      if (mdr.Read())
      {

      }
      else
      {
          MessageBox.Show("Delete Successful.");
      }
      MyConnection.Close();
  }

我尝试过：

What I have tried:

string selectQuery = "DELETE FROM `newdoc` where docid =" + int.Parse(delsear.Text);

在这一行中说格式异常未处理

in this line says format exception was unhandled

推荐答案

这意味着用户输入的文本不是有效整数。使用 int.TryParse [ ^ ]尝试解析文本，如果不是则显示错误有效。



您应该避免使用字符串连接来构建查询。在这种特殊情况下，由于参数已知为整数，因此您可能没问题。但这是一个坏习惯，并导致 SQL注入 [ ^ ]漏洞。



此外，您不希望使用 ExecuteReader 进行插入，更新或删除命令，因为它们不返回任何内容。改为使用 ExecuteNonQuery 。



最后，你应该使用包装一次性对象阻止确保他们的资源总是被正确清理。

That means the text the user has entered is not a valid integer. Use int.TryParse[^] to attempt to parse the text, and display an error if it's not valid.

You should avoid using string concatenation to build your queries. In this particular case, since the parameter is known to be an integer, you're probably OK. But it's a bad habit to get into, and leads to SQL Injection[^] vulnerabilities.

Also, you don't want to use ExecuteReader for an insert, update, or delete command, since they don't return anything. Use ExecuteNonQuery instead.

And finally, you should wrap the disposable objects in using blocks to ensure that their resources are always cleaned up properly.

public void del()
{
    int docid;
    if (!int.TryParse(delsear.Text, out docid))
    {
        MessageBox.Show("Please enter a valid ID.");
        return;
    }
    
    using (MySqlConnection MyConnection = new MySqlConnection(MyConnectionString))
    using (MySqlCommand cmd4 = new MySqlCommand("DELETE FROM `newdoc` where docid = @docid", MyConnection))
    {
        cmd4.Parameters.AddWithValue("@docid", docid);
        
        MyConnection.Open();
        cmd4.ExecuteNonQuery();
    }
    
    MessageBox.Show("Delete Successful.");
}

---

你想知道关于SQL注入的一切（但不敢问）特洛伊亨特 [ ^ ]

如何在没有技术术语的情况下解释SQL注入？ |信息安全堆栈交换 [ ^ ]

查询参数化备忘单| OWASP [ ^ ]

---

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

可能 delsear.Text 不包含可转换为 int 的字符串。如果发生这种情况，则会抛出一个由代码处理的异常。



为避免异常，请调用 Int32.TryParse方法（String，Int32）（系统） [ ^ ]在使用变量创建查询字符串之前检查返回值：

Probably delsear.Text does not contain a string that can be converted to an int. If that happens, an exception is thrown that is not handled by your code.

To avoid exceptions, call the Int32.TryParse Method (String, Int32) (System)[^] before creating the query string using a variable and check the return value:

int docid;
if (!Int32.TryParse(delsear.Text, out docid))
{
    // handle / report error here
    return;
}
string selectQuery = "DELETE FROM `newdoc` where docid =" + docid;

这篇关于我的代码有什么问题？它当时还可以的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！