如何修复此代码? [英] how to fix this code ?
本文介绍了如何修复此代码?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
SqlStr = " Delete from FilelibF where IdAttachBord = + GridFile.SelectedRows[0].Cells[0].Value + ";
sqlcmd = new SqlCommand(SqlStr, cn);
sqlcmd.ExecuteNonQuery();
当我想删除我的一些文件时程序说:'0'附近的语法不正确。这是什么意思以及如何修复它?!!
when i want to delete some file in my program it says : Incorrect syntax near '0'. what is that mean and how to fix it ?!!
推荐答案
GridFile.SelectedRows [0] .Cells [0] .Value
part inside 引号,因此它被视为查询的一部分。您必须在+
运算符之前关闭引号。
但是,SQL查询的字符串连接很糟糕想法:你很容易受到 SQL注入的攻击[ ^ ]。使用参数化查询:它们修复漏洞并使您的查询更具可读性。
TheGridFile.SelectedRows[0].Cells[0].Value
part is inside the quotes, so it gets treated as a part of the query. You have to close the quotes before the+
operator.
However, string concatenation for SQL queries is a bad idea: you're vulnerable for SQL injection[^]. Use parameterized queries instead: they fix the vulnerability and make your query more readable.
SqlStr = "Delete from FilelibF where IdAttachBord = @SelectedCell";
sqlcmd = new SqlCommand(SqlStr, cn);
sqlcmd.Parameters.Add(new SqlParameter("SelectedCell", GridFile.SelectedRows[0].Cells[0].Value));
sqlcmd.ExecuteNonQuery();
这篇关于如何修复此代码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文