SQL查询语法未在ASP.NET C#中选择值 [英] SQL query syntax not picking value in ASP.NET c#
本文介绍了SQL查询语法未在ASP.NET C#中选择值的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在为我的公司开发一个网站,并在数据查询中编写了以下内容:
Hi,
I am developing a website for my company and in a data query I wrote the following:
OleDbCommand cmd14 = new OleDbCommand("SELECT USER_NAME FROM EMPLOYEE WHERE USER_NAME LIKE ''"+ lbl_Username_1.Text+"*''", con);
运行时的此命令生成一个查询,该查询将在我使用的MS Access数据库上处理:
从USER_NAME所在的雇员中选择USER_NAME,例如"vivek.sharma *"
现在,此查询在我的数据库中手动运行时返回2个值,但是在我的网站运行中,它不会产生任何结果.
请提出建议.
This commend on runtime generates a query to be processed on MS access db which i am using as:
SELECT USER_NAME FROM EMPLOYEE WHERE USER_NAME LIKE ''vivek.sharma*''
now this query on running manually in my database returns 2 values, but in my website run, it does not result anything.
please suggest.
推荐答案
首先,您在这里做的很不好:用UI数据组成查询.
这存在SQL注入的潜在危险.请参阅:
http://en.wikipedia.org/wiki/SQL_injection [ http://en.wikipedia.org/wiki/Prepared_statement [ http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx [ ^ ].
根据此通配符为%"或"_",而不是"*":
http://www.w3schools.com/sql/sql_like.asp [ http://www.w3schools.com/sql/sql_wildcards.asp [
To start from, you are doing really bad thing here: compose a query out of UI data.
This presents a potential danger of SQL injection. Please see:
http://en.wikipedia.org/wiki/SQL_injection[^].
You should use parametrized commands (in this case, parametrized query) instead. Please see:
http://en.wikipedia.org/wiki/Prepared_statement[^],
http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx[^].
The wildcards are ''%'' or ''_'', not ''*'', according to this:
http://www.w3schools.com/sql/sql_like.asp[^],
http://www.w3schools.com/sql/sql_wildcards.asp[^].
—SA
这篇关于SQL查询语法未在ASP.NET C#中选择值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文