我的搜索代码出错，我需要帮助 [英] I Have An Error On My Search Code, I Need Help Please

问题描述

OleDbConnection con;
            OleDbDataAdapter ad;
            //text test
            if (searchtext.Text == "")
            {
                MessageBox.Show("Plese Inter Employee's ID you are searching for");
            }
            else
            {

                con = new OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source=D:\\employees.mdb");

                ad = new OleDbDataAdapter("SELECT * FROM employee WHERE EmpID='searchtext.text'", con);
                                
                ad.SelectCommand.Parameters.Add("@EmpID", OleDbType.Integer);
                ad.SelectCommand.Parameters["@EmpID"].Value = int.Parse(searchtext.Text);
                con.Open();

                employee emp = new employee();
                DataSet ds = emp.get();

                this.idtext.Text = emp.EmpID;
                this.nametext.Text = emp.EmpName;
                this.jobtext.Text = emp.Jobtitle;
                this.comtext.Text = emp.Company;

                

            }
       
        }

推荐答案

两件事：

1）不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。请改用参数化查询。

2）不要用逗号乱丢SQL ...

Two things:
1) Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
2) Don't litter SQL with commas...

command.CommandText = ("SELECT * FROM employee WHERE EmpID LIKE '" + searchtext + "'," con);

应阅读：

Should read:

command.CommandText = ("SELECT * FROM employee WHERE EmpID LIKE '" + searchtext + "'", con);

但严重的是，使用参数化查询......或者您的数据库是吐司。

But seriously, use parameterised queries...or your database is toast.

这篇关于我的搜索代码出错，我需要帮助的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！