如何修复此代码？ [英] how to fix this code ?

问题描述

SqlStr = " Delete from FilelibF where IdAttachBord = + GridFile.SelectedRows[0].Cells[0].Value + ";
sqlcmd = new SqlCommand(SqlStr, cn);
sqlcmd.ExecuteNonQuery();

当我想删除我的一些文件时程序说：'0'附近的语法不正确。这是什么意思以及如何修复它？!!

when i want to delete some file in my program it says : Incorrect syntax near '0'. what is that mean and how to fix it ?!!

推荐答案

GridFile.SelectedRows [0] .Cells [0] .Value part inside 引号，因此它被视为查询的一部分。您必须在 + 运算符之前关闭引号。



但是，SQL查询的字符串连接很糟糕想法：你很容易受到 SQL注入的攻击[ ^ ]。使用参数化查询：它们修复漏洞并使您的查询更具可读性。

The GridFile.SelectedRows[0].Cells[0].Value part is inside the quotes, so it gets treated as a part of the query. You have to close the quotes before the + operator.

However, string concatenation for SQL queries is a bad idea: you're vulnerable for SQL injection[^]. Use parameterized queries instead: they fix the vulnerability and make your query more readable.

SqlStr = "Delete from FilelibF where IdAttachBord = @SelectedCell";
sqlcmd = new SqlCommand(SqlStr, cn);
sqlcmd.Parameters.Add(new SqlParameter("SelectedCell", GridFile.SelectedRows[0].Cells[0].Value));
sqlcmd.ExecuteNonQuery();

这篇关于如何修复此代码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！