我的代码中有什么错误？ [英] What is the error in my code?

问题描述

亲爱的朋友们，



请告诉我bellow查询中的错误，

Dear Friends,

Please tell me the error in bellow query,

SqlCommand cmd = new SqlCommand("select * from tblCategories where CategoryName=" + Request.QueryString["CategoryName"], con);

注意：我想在Repeater控件中基于字符串绑定值。 />


提前谢谢。

Note: I want to bind the values based on string in Repeater control.

Thanks in advance.

推荐答案

唯一可见的错误是您错过了将CategoryName的值包装在内一对单引号。

试试这个 -

The only visible error is you have missed to wrap your value for CategoryName within a pair of single quotes.
Try this-

SqlCommand cmd = new SqlCommand("select * from tblCategories where CategoryName='" + Request.QueryString["CategoryName"]+"'", con);

注意：建议使用参数化查询或存储过程来防止SQL注入。

参考：

使用参数化查询来防止SQL Server中的SQL注入攻击 [ ^ ]

http://www.dotnetperls.com/sqlparameter [ ^ ]

SQL Injection Atta cks和关于如何预防他们的一些提示 [ ^ ]



希望，它有帮助：）

Note: It is always recomended to use parameterized query or stored procedure to prevent SQL Injection.
Reference:
Using Parameterized queries to prevent SQL Injection Attacks in SQL Server[^]
http://www.dotnetperls.com/sqlparameter[^]
SQL Injection Attacks and Some Tips on How to Prevent Them[^]

Hope, it helps :)

使用参数

use parameter

SqlCommand cmd = new SqlCommand("select * from tblCategories where CategoryName=@CategoryName", con);
cmd.Parameters.AddWithValue("@CategoryName", Request.QueryString["CategoryName"]);

或者你的inline参数指定为字符串，使用''

Or in your inline parameter specify it as string, by using ''

SqlCommand cmd = new SqlCommand("select * from tblCategories where CategoryName='" + Request.QueryString["CategoryName"]+"'", con);

但是参数化的sql查询更安全它将保护您的应用程序免受SQL注入攻击。

but Parameterized sql query is more safe and it will protect your application from sql injection attacks.

这篇关于我的代码中有什么错误？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！