'email'附近的语法不正确 [英] Incorrect syntax near 'email'
本文介绍了'email'附近的语法不正确的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我是sql的新手。我想编写代码可以让我检查数据库的电子邮件和密码的用户输入。
以下是我写的代码
protected void btnLogin_Click( object sender,EventArgs e)
{
string strEmail,strPwd,strSel;
int intShopperID;
DatabaseMgmt loginObj = new DatabaseMgmt();
// 读取在文本框中输入的电子邮件和密码
strEmail = emailTextBox.Text.ToLower();
strPwd = pwdTextBox.Text.Trim();
strSel = SELECT ShopperID +
FROM Shopper +
WHERE Email =' + strEmail + ' +
和Passwd =' + strPwd + ';
SqlDataReader dR = loginObj.ExecuteSelect(strSel);
if (dR.Read())
{
intShopperID = 1 ;
会话[ shopperID] = intShopperID;
Response.Redirect( Default.aspx);
}
else
{
intShopperID = 0 ;
lblMsg.Text = 电子邮件或密码不正确!;
lblMsg.ForeColor = System.Drawing.Color.Red;
}
}
我尝试过:
我不知道如何从这里继续:(
解决方案
你需要学习使用调试器
在Visual Studio 2010中掌握调试 - 初学者指南 [ ^ ]
检查变量的内容,例如strSel,它包含哪些内容?
SELECT ShopperIDFROM ShopperWHERE Email = ' me@here.com' AND Passwd = ' 123456'
这是有效的SQL吗?
同时阅读使用参数化查询构建您的SQL,因为您的代码可能对SQL注入攻击开放。
您的SQL在正确的位置没有空格。
另请参阅下面的示例,以查看使用SQL中的用户输入选择查询数据的更好方法,以避免SQL注入:
< span class =code-keyword> string userEmail = test@email.com,userPassword = abc123;
// 您的SQL:
Console.WriteLine(< span class =code-string> SELECT ShopperID + FROM Shopper + WHERE Email =' + a@b.com + ' + 和Passwd =' + password + ');
// 输出:SELECT ShopperIDFROM ShopperWHERE Email ='a@b.com'and Passwd ='password'
// 更好的方法:
string sql = SELECT ShopperID FROM Shopper WHERE Email = {0} AND Passwd = {1};
string emailParameter = @ Email,passwordParameter = @ Password;
string formattedSql = string .Format(sql,emailParameter,passwordParameter);
Console.WriteLine(formattedSql);
// 使用参数化sql命令
SqlCommand cmd = < span class =code-keyword> new SqlCommand(formattedSql);
cmd.Parameters.Add( new SqlParameter(emailParameter,userEmail));
cmd.Parameters.Add( new SqlParameter(passwordParameter,userPassword));
SqlDataReader dr = cmd.ExecuteReader();
// 继续使用您的代码......
im new to sql. Im suppose to write code that can let me check the user input for email and password against the database.
Below is the code i've written
protected void btnLogin_Click(object sender, EventArgs e)
{
string strEmail, strPwd, strSel;
int intShopperID;
DatabaseMgmt loginObj = new DatabaseMgmt();
//read e-mail and password that are entered in the textboxes
strEmail = emailTextBox.Text.ToLower();
strPwd = pwdTextBox.Text.Trim();
strSel = "SELECT ShopperID" +
"FROM Shopper" +
"WHERE Email = '" + strEmail + "'" +
"AND Passwd = '" + strPwd + "'";
SqlDataReader dR = loginObj.ExecuteSelect(strSel);
if (dR.Read())
{
intShopperID = 1;
Session["shopperID"] = intShopperID;
Response.Redirect("Default.aspx");
}
else
{
intShopperID = 0;
lblMsg.Text = "Incorrect email or password!";
lblMsg.ForeColor = System.Drawing.Color.Red;
}
}
What I have tried:
im dont know how to continue from here :(
解决方案
You need to learn to use the debugger
Mastering Debugging in Visual Studio 2010 - A Beginner's Guide[^]
Inspect the content of your variables, such as strSel, what does it contain?
SELECT ShopperIDFROM ShopperWHERE Email = 'me@here.com'AND Passwd = '123456'
Is that valid SQL?
Also read on using parameterised queries to build your SQL as your code might be open to SQL Injection attacks.
Your SQL does not have spaces in correct places.
Also see my sample below to see a better way to select query data using user input in SQL to avoid SQL injection:
string userEmail = "test@email.com", userPassword = "abc123"; // Your SQL: Console.WriteLine("SELECT ShopperID" + "FROM Shopper" + "WHERE Email = '" + "a@b.com" + "'" + "AND Passwd = '" + "password" + "'"); // Outputs: SELECT ShopperIDFROM ShopperWHERE Email = 'a@b.com'AND Passwd = 'password' // Better way to do it: string sql = "SELECT ShopperID FROM Shopper WHERE Email = {0} AND Passwd = {1}"; string emailParameter = "@Email", passwordParameter = "@Password"; string formattedSql = string.Format(sql,emailParameter,passwordParameter); Console.WriteLine(formattedSql); // Use parameterised sql command SqlCommand cmd = new SqlCommand(formattedSql); cmd.Parameters.Add(new SqlParameter(emailParameter,userEmail)); cmd.Parameters.Add(new SqlParameter(passwordParameter,userPassword)); SqlDataReader dr = cmd.ExecuteReader(); // Continue your code...
这篇关于'email'附近的语法不正确的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
