为什么不在SQL中工作 [英] Why not work in SQL
问题描述
string sql2 =从[Repeat of dest]中选择[A],[重复次数],其中[A]喜欢'+ textBox4.Text +';
使用(系统.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand(sql1,conn2))
{
conn2.Open();
System.Data.SqlClient.SqlDataReader reader = null;
reader = cmd.ExecuteReader();
while(reader.Read())
{
textBox4.Text =(reader [A])。ToString();
}}
我尝试过:
为什么不工作命令sql ??
请帮帮我?
string sql2 = "select [A],[number of dups] from [Repeat of dest] where [A] like '" + textBox4.Text + "' ";
using (System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand(sql1, conn2))
{
conn2.Open();
System.Data.SqlClient.SqlDataReader reader = null;
reader = cmd.ExecuteReader();
while (reader.Read())
{
textBox4.Text = (reader["A"]).ToString();
}}
What I have tried:
why not work command sql??
please help me?
推荐答案
首先,因为你做错了:永远不要连接字符串来构建一个SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。
其次,因为你使用的是错误的sql字符串:你声明sql2并使用您的命令中sql1...
最后,因为LIKE需要SQL通配符才能找到类似匹配。在这种情况下,您可能希望在子句的开头和结尾使用%:
Firstly, because you are doing it wrong: Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
Secondly, because you are using the wrong sql string: you declaresql2and usesql1in your command...
Finally, because LIKE requires SQL wildcards in order to find a "similar" match. In this case, you probably want "%" at the start and end of your clause:
string sql2 = "SELECT [A],[number of dups] FROM [Repeat of dest] WHERE [A] LIKE '%' + @STR + '%'";
using (System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand(sql2, conn2))
{
conn2.Open();
cmd.Parameters.AddWithValue("@STR", textBox4.Text);
...
并问自己一个问题:如果你要去问问题,你有什么问题吗?不理会给你的建议?这不是我第一次告诉你有关SQL Inject和参数化查询的问题,或类似的问题 - 但你显然没有倾听或思考你被告知的内容。请开始同时...
And ask yourself a question: Is there any point in you asking questions if you are just going to ignore the advice you are given? This is not the first time I've told you about SQL Inject and parameterized queries, or about a similar problem - but you clearly aren't listening or thinking about what you have been told. Please start doing both...
永远不要通过连接用户输入来构建SQL查询,它被命名为SQL注入,它对您的数据库很危险并且容易出错。
名称中的单引号和程序崩溃。如果像Brian O'Conner这样的用户输入可能会使您的应用程序崩溃,那么这是一个SQL注入漏洞。
SQL注入 - 维基百科 [ ^ ]
SQL注入 [ ^ ]
Never build an SQL query by concatenating with user inputs, it is named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability.
SQL injection - Wikipedia[^]
SQL Injection[^]
这篇关于为什么不在SQL中工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
