请发给我正确的查询 [英] please send me correct query
问题描述
string verifyinfo =select imagelist,从Gpass传递,其中userid =+ txtuserid.Text +email =+ txtemail.Text;
string verifyinfo = "select imagelist, pass from Gpass where userid=" + txtuserid.Text + "email=" + txtemail.Text;
推荐答案
用户ID和电子邮件将是文本字段,因此您需要在查询中使用''''。你也错过了。
例如
User id and email would be text fields so you would need to use '''' with them in the query. Also you have a missing AND.
E.g.
"select imagelist, pass from Gpass where userid=''" + txtuserid.Text + "'' and email=''" + txtemail.Text + "''"; <br />
但是,请注意写这样的内联查询可能会导致 SQL Injection [ ^ ]。
改为使用参数。
However, also note that write inline queries like this could lead to SQL Injection[^].
Use parameters instead.
你忘了撇号,你忘记了AND
或或
:
Hi,
You forgot apostrophes, and you forgot anAND
orOR
:
string verifyinfo = "select imagelist, pass from Gpass where userid='" + txtuserid.Text + "' AND email='" + txtemail.Text + "'";
但是不要使用字符串连接来构建查询,因为使用字符串连接并不妨碍 SQL注入 [ ^ ]。使用 SqlParameter
传递参数:
http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter.aspx [ ^ ]
http://www.dotnetperls.com/sqlparameter [ ^ ]
如果您使用 SqlParameter
,试试这段代码:
But don''t use string concatenation to build queries, because using string concatenation doesn''t prevent SQL injection[^]. Use a SqlParameter
to pass a parameter:
http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter.aspx[^]
http://www.dotnetperls.com/sqlparameter[^]
If you use a SqlParameter
, try this code:
using (SqlCommand command = new SqlCommand("select imagelist, pass from Gpass where userid=@userid AND email=@email", connection))
{
command.Parameters.Add(new SqlParameter("userid", txtuserid.Text));
command.Parameters.Add(new SqlParameter("email", txtemail.Text));
SqlDataReader reader = command.ExecuteReader();
// some other code
}
我建议使用 SqlParameter
来防止SQL注入。
这篇关于请发给我正确的查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!