尝试使用Microsoft访问.mdb插入数据时出现C#SQL语法错误 [英] C# SQL syntax error when trying to insert data with Microsoft access .mdb
问题描述
static OleDbConnection conn = new OleDbConnection(ConfigurationManager.ConnectionStrings [dbProject]。ConnectionString);
执行查询时出现SQL语法错误。
public static void InsertLogins(User u)
{
conn.Open();
OleDbCommand cmd = new OleDbCommand( Insert到tblLogin(用户名,密码,CharPreset)值(' + u.Username + ',' + u.Password + ',' + u.CharPreset + '),conn);
cmd.ExecuteNonQuery();
conn.Close();
}
我可以从数据库中读取使用此查询
OleDbCommand cmd = new OleDbCommand( 选择*来自tblLogin,conn);
我尝试过:
我能想到的一切。它在使用SQL服务器时有效,但我希望它能与Microsoft Access一起使用
首先,谷歌针对SQL注入攻击找出你正在做什么非常糟糕。
接下来,谷歌为C#sql参数化查询找出如何解决这个问题以及你遇到的问题。
为您轻松阅读:
你想知道关于SQL注入的一切(但不敢问)|特洛伊亨特 [ ^ ]
如何在没有技术术语的情况下解释SQL注入? |信息安全堆栈交换 [ ^ ]
查询参数化备忘单| OWASP [ ^ ]
并且:
安全密码验证简单说明 [ ^ ]
Salted Password Hashing - 做它正确 [ ^ ] < br $>
立即修复SQLi漏洞:
使用(OleDbCommand cmd = new OleDbCommand(INSERT INTO tblLogin(Username,Password,CharPreset)VALUES(?,?,?),conn))
{
cmd.Parameters.AddWithValue(p0,u.Username) ;
cmd.Parameters.AddWithValue(p1,u.Password);
cmd.Parameters.AddWithValue(p2,u.CharPreset);
cmd.ExecuteNonQuery();
}
但是不要忽略密码存储问题!
哦,存储static
字段中的连接对象是一个糟糕的主意,特别是如果这是一个Web应用程序。连接不是线程安全的,如果同时发出两个请求,那么你可以期待的最好是崩溃。
static OleDbConnection conn = new OleDbConnection(ConfigurationManager.ConnectionStrings["dbProject"].ConnectionString);
Im getting SQL syntax error when executing the query.
public static void InsertLogins(User u)
{
conn.Open();
OleDbCommand cmd = new OleDbCommand("Insert into tblLogin(Username,Password,CharPreset) values ('" + u.Username + "','" + u.Password + "','" + u.CharPreset + "')", conn);
cmd.ExecuteNonQuery();
conn.Close();
}
I can read from the database using this query
OleDbCommand cmd = new OleDbCommand("Select * From tblLogin", conn);
What I have tried:
Everything I could think of. It works when using SQL server but I want it to work with Microsoft Access
First, Google for "SQL Injection Attack" to find out why what you're doing is so bad.
Next, Google for "C# sql parameterized queries" to find out how to solve that problem and the problem you're running into.
Some light reading for you:
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
And:
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]
An immediate fix for the SQLi vulnerability:
using (OleDbCommand cmd = new OleDbCommand("INSERT INTO tblLogin (Username, Password, CharPreset) VALUES (?, ?, ?)", conn)) { cmd.Parameters.AddWithValue("p0", u.Username); cmd.Parameters.AddWithValue("p1", u.Password); cmd.Parameters.AddWithValue("p2", u.CharPreset); cmd.ExecuteNonQuery(); }
But don't ignore the password storage problem!
Oh, and storing the connection object in astatic
field is a terrible idea, especially if this is a web application. Connections are not thread-safe, and if two requests hit at the same time, the best you can hope for is a crash.
这篇关于尝试使用Microsoft访问.mdb插入数据时出现C#SQL语法错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!