SQL命令C#中的查询字符串 [英] Query string in SQL command C#
本文介绍了SQL命令C#中的查询字符串的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
DetailPage:
DetailPage:
string qid = Page.RouteData.Values["id"].ToString();
string cs = ConfigurationManager.ConnectionStrings["cs"].ToString();
SqlCommand cmd = new SqlCommand("SELECT [name], [family], [path] from [tbl_t] WHERE id= + qid");
SqlConnection con = new SqlConnection(cs);
cmd.CommandType = CommandType.Text;
con.Open();
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
this.lblname.Text = (dr["name"].ToString());
this.lblfamily.Text = (dr["family"].ToString());
}
cmd.Dispose();
con.Close();
con.Dispose();
我尝试过:
请原谅我的英语不好,我希望能被理解
我想要电话(Sqlcommand)
)价值为id( querystring)
What I have tried:
excuse me for my bad English , i hope to be understood
I want call(Sqlcommand)
) value as id (querystring)
推荐答案
学会正确行事:给我参数化的SQL,或者让我死亡 [ ^ ]
Learn to do the right thing right: Give me parameterized SQL, or give me death[^]
猜测qid是你的参数,你需要替换:
Guessing thatqidis your parameter, you need to replace:
SqlCommand cmd = new SqlCommand("SELECT [name], [family], [path] from [tbl_t] WHERE id= + qid");
with
with
SqlCommand cmd = new SqlCommand("SELECT [name], [family], [path] from [tbl_t] WHERE id= "+ qid);
或
or
SqlCommand cmd = new SqlCommand("SELECT [name], [family], [path] from [tbl_t] WHERE id= '+ qid+"'");
取决于的价值> qid
注意最后的报价。
构建查询的方式是危险的,并且是SQL注入的大门。
SQL注入 [ ^ ]
SQL注入 - 维基百科 [ ^ ]
depending on value of qid
Pay attention to the quote at the end.
The way you build the query is dangerous and open door to SQL injection.
SQL Injection[^]
SQL injection - Wikipedia[^]
已经指出的一件事是参数化。这样可以防止SQL注入并帮助您进行转换。
尚未提及的是使用语句和尝试块。即使遇到异常并且正确处理异常,两者对于确保正确处理对象至关重要。
有关更多信息,请查看正确执行数据库操作 [ ^ ]
One thing that is already pointed out, is the parameterization. This would keep you safe from SQL injections and help with conversions.
What hasn't yet been mentioned is the use ofusingstatement andtryblocks. Both are critical to ensure that your objects are properly disposed even if an exception is encountered and that you handle exceptions properly.
For more information, have a look at Properly executing database operations[^]
这篇关于SQL命令C#中的查询字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
