从C#项目保存sql时出现问题 [英] Problem occured to save sql from C# Project

问题描述

在我的C#代码下面

In my c# code is below

cmd = new SqlCommand("insert into login values(" & TextBox1.Text & "," & TextBox2.Text & ")", con);

它没有运行.发生错误. &没有将字符串定义为字符串

任何人都可以帮助我解决这个问题

It is not run. The error occurred. The & is not defines string to string

Any one help me for this problem

推荐答案

try:

try:

cmd = new SqlCommand("insert into login values('"+ TextBox1.Text + "','"+ TextBox2.Text+"')", con);

我建议您为将ADO .Net与.net应用程序结合使用进行更多练习，您可以获得在google上浏览示例的数量，
请参考以下链接，这可能对您有帮助:
http://msdn.microsoft.com/en-us/library/6759sth4％28v = vs.71％29.aspx [ ^ ]

i suggest you practice more for using ADO .Net with .net applications , u can get number of examples surfing google,
please refer the following link this might help you:
http://msdn.microsoft.com/en-us/library/6759sth4%28v=vs.71%29.aspx[^]

要添加到prabhaamaji的评论中，您还是绝对不应该这样做. br/> 那里有两个问题:一个是SQL语法，另一个是SQL注入.

虽然语法可以使用，但它取决于数据库中列的定义顺序.如果有人修改它并在用户名之前添加一列，则您的代码将失败，因为它首先需要用户名.始终按要填充的顺序命名列:

To add to prabhaamaji''s comments, you really shouldn''t do it that way anyway.
There are two problems there: one with the SQL syntax, and one called SQL Injection.

While the syntax will work, it depends on the order in which the columns in your database are defined. If someone modifis it and adds a column before the username, then your code fails , becasue it expects the username first. Always name the columns, in the order you are goint to fill them:

INSERT INTO login (userName, password) VALUES (...)

那样，可以更好地保护您的代码以防将来发生更改.

当您允许用户直接访问您的sql命令时，就会发生SQL注入，并且可被利用来窃取，破坏或破坏您的数据库.不要连接字符串以构建SQL命令-而是使用参数化查询；
cmd = new SqlCommand("INSERT INTO登录(用户名，密码)VALUES(@ UN，@ PW)"，con)；
cmd.Parameters.AddWithValue("@ UN"，TextBox1.Text);
cmd.Parameters.AddWithValue("@ PW"，TextBox2.Text);

我还想补充两点，值得您考虑-可能稍后，当yoiu有了更多的经验时:
1)不要对控件使用VS默认名称:今天您可能还记得TextBox1有用户名，但是下周还记得吗?将其命名为tbUserName或类似名称，就会更加明显.
2)请勿以明文形式存储密码！这里有一条提示，说明为什么不这样做:密码存储:操作方法. [^ ]

That way your code is better protected against future changes.

SQL Injection happens when you allow the user direct access to you sql command, and can be exploited to steal, damage or destroy your database. Do not concatenate strings to build a SQL command - use Parametrized queries instead;
cmd = new SqlCommand("INSERT INTO login (userName, password) VALUES (@UN, @PW)", con);
cmd.Parameters.AddWithValue("@UN", TextBox1.Text);
cmd.Parameters.AddWithValue("@PW", TextBox2.Text);

There are two others I would like to add in passing, that it is worth your considering - probably later when yoiu have a bit more experience:
1) Do not use the VS default names for controls: You may remember today that TextBox1 has the username, but will you remember next week? Call it tbUserName or similar, and it becomes more obvious.
2) Do not store passwords in clear text! There is a Tip here explaining why not: Password Storage: How to do it.[^]

这篇关于从C#项目保存sql时出现问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！