请发给我正确的查询 [英] please send me correct query

问题描述

string verifyinfo =select imagelist，从Gpass传递，其中userid =+ txtuserid.Text +email =+ txtemail.Text;

string verifyinfo = "select imagelist, pass from Gpass where userid=" + txtuserid.Text + "email=" + txtemail.Text;

推荐答案

用户ID和电子邮件将是文本字段，因此您需要在查询中使用''''。你也错过了。

例如

User id and email would be text fields so you would need to use '''' with them in the query. Also you have a missing AND.
E.g.

"select imagelist, pass from Gpass where userid=''" + txtuserid.Text + "'' and email=''" + txtemail.Text + "''"; <br />

但是，请注意写这样的内联查询可能会导致 SQL Injection [ ^ ]。

改为使用参数。

However, also note that write inline queries like this could lead to SQL Injection[^].
Use parameters instead.

你忘了撇号，你忘记了 AND 或或：

Hi,

You forgot apostrophes, and you forgot an AND or OR:

string verifyinfo = "select imagelist, pass from Gpass where userid='" + txtuserid.Text + "' AND email='" + txtemail.Text + "'";

但是不要使用字符串连接来构建查询，因为使用字符串连接并不妨碍 SQL注入 [ ^ ]。使用 SqlParameter 传递参数：

http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter.aspx [ ^ ]

http://www.dotnetperls.com/sqlparameter [ ^ ]



如果您使用 SqlParameter ，试试这段代码：

But don''t use string concatenation to build queries, because using string concatenation doesn''t prevent SQL injection[^]. Use a SqlParameter to pass a parameter:
http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter.aspx[^]
http://www.dotnetperls.com/sqlparameter[^]

If you use a SqlParameter, try this code:

using (SqlCommand command = new SqlCommand("select imagelist, pass from Gpass where userid=@userid AND email=@email", connection))
	    {
		command.Parameters.Add(new SqlParameter("userid", txtuserid.Text));
		command.Parameters.Add(new SqlParameter("email", txtemail.Text));
		SqlDataReader reader = command.ExecuteReader();
		// some other code
	    }

我建议使用 SqlParameter 来防止SQL注入。

这篇关于请发给我正确的查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！