如何在C#中处理以下异常? [英] How can I handle the following exception in C#?
问题描述
txtCustomerName =Mc'Donald;
string strsql =Update Tbproposal set CustomerName ='+ txtCustomerName +';
DataHelper.ExecuteQuery(strsql );
当我执行此查询时,我正面临着这里的代码问题。 '唐纳德'附近的语法不正确。
消息105,等级15,状态1,行1
字符串''后面的未闭合引号。
我知道是什么原因。但我想知道如何解决这个问题。
我尝试过的事情:
我想在我的文本框中处理它。
txtCustomerName = "Mc' Donald";
string strsql = "Update Tbproposal set CustomerName ='" +txtCustomerName +"'";
DataHelper.ExecuteQuery(strsql);
When I am executing this query, i am facing th`enter code here`e following problem. Incorrect syntax near 'Donald'.
Msg 105, Level 15, State 1, Line 1
Unclosed quotation mark after the character string ''.
I know what is the reason. but want to know how can i solve this.
What I have tried:
I want to handle it on my textbox filed.
推荐答案
临时修复是
string txtCustomerName = "Mc'' Donald";
但上面的代码是不推荐,因为它容易受到 SQL注入 [ ^ ]攻击。
总是使用使用参数化查询来防止SQL注入攻击 [ ^ ]
您必须在 DataHelper中编写方法用于处理 sql命令的类 as
but the above code is not recommended, since it is vulnerable to SQL Injection[^] attacks.
always use Using Parameterized queries to prevent SQL Injection Attacks [^]
You will have to write a method inside your DataHelper class to handle the sql command as
static void ExecuteCommand(SqlCommand cmd)
{
SqlConnection con = new SqlConnection();
con.ConnectionString = "Your Connectoin string";
cmd.Connection = con;
con.Open();
cmd.ExecuteNonQuery();
con.Close();
}
并按如下方式调用它
and invoke it like below
string customerName = txtCustomerName.Text;
string strsql = "Update Tbproposal set CustomerName = @customer";
SqlCommand cmd = new SqlCommand(strsql);
cmd.Parameters.Add("@customer", customerName);
DataHelper.ExecuteCommand(cmd);
您已经获得了一些与SQL注入相关的建议。这是一件坏事:您的查询是通过串联来自UI的字符串组成的。不仅重复的字符串连接是低效的(因为字符串是不可变的;我是否必须解释为什么它会使重复连接变坏?),但更重要的是它打开了 SQL注入<的大门/ i>,一个非常着名的漏洞利用。你只需要了解背景。
这是它的工作原理: http:// xkcd.com/327 。
你明白了吗?从控件中获取的字符串可以是任何东西,包括......一段SQL代码。
怎么办?只需阅读有关此问题和主要补救措施:参数化语句: http://en.wikipedia.org/ wiki / SQL_injection 。
使用ADO.NET,使用:http://msdn.microsoft.com/en-us/library/ff648339.aspx 。
请参阅我过去的答案有更多细节:
在com.ExecuteNonQuery中更新EROR( ); ,
你的名字没有显示名称?。
参见(我们的会员Richard Deeming提供的链接):
Troy Hunt:你想知道关于SQL注入的一切(但是害怕k),
如何在没有技术术语的情况下解释SQL注入? - 信息安全堆栈交换,
查询参数化备忘单 - OWASP [ ^ ],
< a href =https://www.youtube.com/watch?v=GY5IXcMyOeU> SQL注入攻击机制Pluralsight - YouTube 。
-SA
You already got some advice related to SQL injection. This is the bad thing: your query composed by concatenation with strings taken from UI. Not only repeated string concatenation is inefficient (because strings are immutable; do I have to explain why it makes repeated concatenation bad?), but it's more important that it opens the doors to SQL injection, a very well-known exploit. You just need to understand the background.
This is how it works: http://xkcd.com/327.
Are you getting the idea? The string taken from a control can be anything, including… a fragment of SQL code.
What to do? Just read about this problem and the main remedy: parametrized statements: http://en.wikipedia.org/wiki/SQL_injection.
With ADO.NET, use this: http://msdn.microsoft.com/en-us/library/ff648339.aspx.
Please see my past answers for some more detail:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.
See also (links provided by our member Richard Deeming):
Troy Hunt: Everything you wanted to know about SQL injection (but were afraid to ask),
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange,
Query Parameterization Cheat Sheet — OWASP[^],
SQL injection attack mechanics | Pluralsight — YouTube.
—SA
好吧,和SQL一样从GUI接收某些值的查询:使用参数化查询而不是简单的字符串连接。这将为您处理所有转义,DateTime /数字格式,SQL注入避免等。
Well, as always with SQL queries which receive some values from a GUI: use a parameterized query instead of simple string concatenation. That will handle all that escaping, DateTime/number formats, SQL injection avoidance etc. for you.
这篇关于如何在C#中处理以下异常?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
