错误 - 非法变量名称/编号 [英] Error- illegal variable name/ number
问题描述
错误
int records =(int)cmd.ExecuteScalar();
非法变量名称/编号
我的尝试:
protected void addmem_Click( object sender,EventArgs e)
{
string strq =select group(*)from groupmembers where group_members ='+ txtgrpmem.Text +';
cmd =新的OracleCommand(strq,Dbconn);
cmd.Parameters.AddWithValue(group_members,txtgrpmem.Text);
if(Dbconn.State == ConnectionState.Closed)
{
Dbconn.Open();
}
int records =(int)cmd.ExecuteScalar();
if(records == 0)
{
string str =insert into groupmembers values('+ grpddl.SelectedValue.ToString()+','+ txtgrpmem.Text + ');
cmd =新的OracleCommand(str,Dbconn);
if(Dbconn.State == ConnectionState.Closed)
{
Dbconn.Open();
}
cmd.ExecuteNonQuery();
txtgrpmem.Text =;
FillGrid();
lbladdmem.Text =会员成功添加。;
lbladdmem.ForeColor = System.Drawing.Color.Green;
lblmsg.Text =;
}
其他
{
lblexist.Text =会员已存在;
lblexist.ForeColor = System.Drawing.Color.Green;
}
}
对于初学者,不要这样做!永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。总是使用参数化查询。
连接字符串时会导致问题,因为SQL会收到如下命令:
SELECT * FROM MyTable WHERE StreetAddress = ' Baker' s Wood ' < span class =code-string>就SQL而言,用户添加的引号会终止字符串,并且您会遇到问题。但情况可能更糟。如果我来并改为输入:x'; DROP TABLE MyTable; - 然后SQL收到一个非常不同的命令:
SELECT * FROM MyTable WHERE StreetAddress = ' x'; DROP 表 MyTable; - '哪个SQL看作三个单独的命令:
SELECT * FROM MyTable WHERE StreetAddress = ' x';完全有效的SELECT
DROP TABLE MyTable;完全有效的删除表格通讯和
- '其他一切都是评论。
所以它确实:选择任何匹配的行,从数据库中删除表,并忽略其他任何内容。
所以总是使用参数化查询!或者准备好经常从备份中恢复数据库。你定期做备份,不是吗?
在网站上?那么几千英里以外的人可以控制你的DB吗?不是一个聪明的举动,根本不是......你需要通过你的应用来解决这个问题,作为一个真正的优先事项。
那么你的误解就是如何做参数化查询,这是你 注意到的问题的根源。
cmd.Parameters .AddWithValue(group_members,txtgrpmem.Text);
group_members不是有效的参数名,它们是变量,在SQL中以变量开头atsign。
string strq =select group(*)from groupmembers where group_members = @ GM;
cmd = new OracleCommand(strq,Dbconn);
cmd.Parameters.AddWithValue(@ GM,txtgrpmem.Text);
这里还有其他问题 - 比如你使用单个问题SqlConnection对象可能会在以后给你带来更多问题。
使用块在内创建一个连接,使用它,它会自动生成当它超出范围时关闭并处理:
使用(SqlConnection con = new SqlConnection(strConnect))
{
con.Open();
使用(SqlCommand cmd = new SqlCommand( INSERT INTO myTable(myColumn1,myColumn2)VALUES(@ C1,@ C2),con))
{
cmd .Parameters.AddWithValue( @ C1,myValueForColumn1);
cmd.Parameters.AddWithValue( @ C2,myValueForColumn2);
cmd.ExecuteNonQuery();
}
}
在修复连接问题时更改所有代码以使用该模型,这将为您节省大量时间。
error at
int records = (int)cmd.ExecuteScalar();
illegal variable name/ number
What I have tried:
protected void addmem_Click(object sender, EventArgs e)
{
string strq = "select count(*) from groupmembers where group_members='" + txtgrpmem.Text + "'";
cmd = new OracleCommand(strq, Dbconn);
cmd.Parameters.AddWithValue("group_members", txtgrpmem.Text);
if (Dbconn.State == ConnectionState.Closed)
{
Dbconn.Open();
}
int records = (int)cmd.ExecuteScalar();
if (records == 0)
{
string str = "insert into groupmembers values('" + grpddl.SelectedValue.ToString() + "', '" + txtgrpmem.Text + "')";
cmd = new OracleCommand(str, Dbconn);
if (Dbconn.State == ConnectionState.Closed)
{
Dbconn.Open();
}
cmd.ExecuteNonQuery();
txtgrpmem.Text = "";
FillGrid();
lbladdmem.Text = "Member added successfully.";
lbladdmem.ForeColor = System.Drawing.Color.Green;
lblmsg.Text = "";
}
else
{
lblexist.Text = "Member already exist";
lblexist.ForeColor = System.Drawing.Color.Green;
}
}For starters, don't do that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.
When you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';A perfectly valid SELECT
DROP TABLE MyTable;A perfectly valid "delete the table" command
--'And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.
So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
And on a website? So someone several thousand miles away can have control of you DB? Not a smart move, not at all ... you need to fix this through your would app, as a matter of real priority.
And then there is your misunderstanding of how to do parameterised queries, which is at the root of the problem you have noticed.
cmd.Parameters.AddWithValue("group_members", txtgrpmem.Text);
group_membersis not a valid parameter name, they are variables, which in SQL start with an atsign.
string strq = "select count(*) from groupmembers where group_members=@GM; cmd = new OracleCommand(strq, Dbconn); cmd.Parameters.AddWithValue("@GM", txtgrpmem.Text);
There are other problems here, though - like your use of a single SqlConnection object which will probably give you a lot more problems later.
Create a Connection inside ausingblock, use it, and it will be automatically closed and disposed when it goes out of scope:
using (SqlConnection con = new SqlConnection(strConnect)) { con.Open(); using (SqlCommand cmd = new SqlCommand("INSERT INTO myTable (myColumn1, myColumn2) VALUES (@C1, @C2)", con)) { cmd.Parameters.AddWithValue("@C1", myValueForColumn1); cmd.Parameters.AddWithValue("@C2", myValueForColumn2); cmd.ExecuteNonQuery(); } }Change all your code to use that model while you are fixing the concatenation problem, and it'll save you a lot of head scratching later.
这篇关于错误 - 非法变量名称/编号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
