我的代码中有什么错误? [英] What is the error in my code?
问题描述
亲爱的朋友们,
请告诉我bellow查询中的错误,
Dear Friends,
Please tell me the error in bellow query,
SqlCommand cmd = new SqlCommand("select * from tblCategories where CategoryName=" + Request.QueryString["CategoryName"], con);
注意:我想在Repeater控件中基于字符串绑定值。 />
提前谢谢。
Note: I want to bind the values based on string in Repeater control.
Thanks in advance.
推荐答案
唯一可见的错误是您错过了将CategoryName的值包装在内一对单引号。
试试这个 -
The only visible error is you have missed to wrap your value for CategoryName within a pair of single quotes.
Try this-
SqlCommand cmd = new SqlCommand("select * from tblCategories where CategoryName='" + Request.QueryString["CategoryName"]+"'", con);
注意:建议使用参数化查询或存储过程来防止SQL注入。
参考:
使用参数化查询来防止SQL Server中的SQL注入攻击 [ ^ ]
http://www.dotnetperls.com/sqlparameter [ ^ ]
SQL Injection Atta cks和关于如何预防他们的一些提示 [ ^ ]
希望,它有帮助:)
Note: It is always recomended to use parameterized query or stored procedure to prevent SQL Injection.
Reference:
Using Parameterized queries to prevent SQL Injection Attacks in SQL Server[^]
http://www.dotnetperls.com/sqlparameter[^]
SQL Injection Attacks and Some Tips on How to Prevent Them[^]
Hope, it helps :)
使用参数
use parameter
SqlCommand cmd = new SqlCommand("select * from tblCategories where CategoryName=@CategoryName", con);
cmd.Parameters.AddWithValue("@CategoryName", Request.QueryString["CategoryName"]);
或者你的inline参数指定为字符串,使用''
Or in your inline parameter specify it as string, by using ''
SqlCommand cmd = new SqlCommand("select * from tblCategories where CategoryName='" + Request.QueryString["CategoryName"]+"'", con);
但是参数化的sql查询更安全它将保护您的应用程序免受SQL注入攻击。
but Parameterized sql query is more safe and it will protect your application from sql injection attacks.
这篇关于我的代码中有什么错误?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!