{"获取错误:将varchar值'数据库'转换为数据类型int时转换失败。“} [英] {"Fetch error:conversion failed when converting the varchar value 'data base' to data type int."}
问题描述
{获取错误:将varchar值'数据库'转换为数据类型int时转换失败。}
我尝试过:
私有DataTable GetData()
{
DataTable dt = new DataTable();
SqlConnection connection = new SqlConnection(Data Source = .; Initial Catalog = Quiz_system; Integrated Security = True);
try
{
connection.Open();
SqlCommand sqlCmd = new SqlCommand(选择question_no,question,op1,op2,op3,op4,correct_ans来自tbl_question_bank其中course_name =' + lblcorrect.Text.ToString()+'和quiz_id ='+ lblqid.Text +',connection);
SqlDataAdapter sqlDa = new SqlDataAdapter(sqlCmd);
sqlDa.Fill(dt);
}
catch(System.Data.SqlClient.SqlException ex)
{
string msg =获取错误:;
msg + = ex.Message;
抛出新的异常(msg);
}
终于
{
connection.Close();
}
返回dt;
}
{"Fetch Error:Conversion failed when converting the varchar value 'Data Base' to data type int."}
What I have tried:
private DataTable GetData()
{
DataTable dt = new DataTable();
SqlConnection connection = new SqlConnection("Data Source=.;Initial Catalog=Quiz_system;Integrated Security=True");
try
{
connection.Open();
SqlCommand sqlCmd = new SqlCommand("Select question_no,question,op1,op2,op3,op4,correct_ans From tbl_question_bank where course_name='" + lblcorrect.Text.ToString() + "' and quiz_id='"+lblqid.Text+"'", connection);
SqlDataAdapter sqlDa = new SqlDataAdapter(sqlCmd);
sqlDa.Fill(dt);
}
catch (System.Data.SqlClient.SqlException ex)
{
string msg = "Fetch Error:";
msg += ex.Message;
throw new Exception(msg);
}
finally
{
connection.Close();
}
return dt;
}
推荐答案
永远不要通过与用户输入连接来构建SQL查询,它被命名为 SQL注入,它对您的数据库很危险并且容易出错。
名称中的单引号和程序崩溃。如果像Brian O'Conner这样的用户输入可能会使您的应用程序崩溃,那么这是一个SQL注入漏洞。
SQL注入 - 维基百科 [ ^ ]
SQL注入 [ ^ ]
Never build an SQL query by concatenating with user inputs, it is named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability.
SQL injection - Wikipedia[^]
SQL Injection[^]
这篇关于{"获取错误:将varchar值'数据库'转换为数据类型int时转换失败。“}的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!