使用c#在mysql中的空格 [英] Blank spaces in mysql using c#
本文介绍了使用c#在mysql中的空格的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
MySqlCommand SelectCommand = new MySqlCommand( select * from partsfinder.blancco其中'Extra2 value'=' + s.Text + ',myConn);
您好,>
我试图从mysql表中选择值,遗憾的是我的列名称有空格,如果我使用''输出到数据网格是0,你可以让我知道请问如何解决这个问题也尝试使用[]并且它不起作用:(
抱歉我的英文并感谢您的帮助
解决方案
使用返回打勾
`
而不是单引号
'
从一开始你的方法就错了。您永远不应该通过连接从UI获取的字符串来创建查询。相反,您需要使用参数化语句。请参阅: http://msdn.microsoft.com/en-us/library/ff648339.aspx。
如果你这样做,你的应用程序完全容易受到众所周知的漏洞利用: SQL注入。用户可以在UI中编写任何内容,包括一些SQL片段。你明白了吗?具体方法如下: http://xkcd.com/327 。
请查看我过去的答案:
在com.ExecuteNonQuery()中更新EROR; ,
hi名称没有显示在名称中?。
现在 - 鼓......使用参数化语句也将解决空白空间的问题数据,以及混淆使用SQL语法的任何其他字符。 :-)
-SA
请重新命名列并使用前面的查询
MySqlCommand SelectCommand = new MySqlCommand(select * from partsfinder.blancco其中Extra2value =' + s.Text +',myConn)
MySqlCommand SelectCommand = new MySqlCommand("select * from partsfinder.blancco where 'Extra2 value'='" + s.Text + "'", myConn);
Hello,
I ma trying to select value from mysql table unfortunately my columns names have got spaces and if I use '' output to data grid is 0 could you let me know please how to solve this issue tried to use [] as well and it did not work :(
sorry for my english and thank you for any help
解决方案
Use back tick
`
instead of single quote
'
to enclose the column name.
BTW, you should not inject parameters directly into the sql statement as it is opened to SQL Injection[^].
Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements. Please see: http://msdn.microsoft.com/en-us/library/ff648339.aspx.
If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327.
Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.
And now — drums… using parametrized statements will also solve the "problem" of blanks spaces in data, as well as any other characters confusing your use of SQL syntax. :-)
—SA
kindly rename the column and use preceding below query
MySqlCommand SelectCommand = new MySqlCommand("select * from partsfinder.blancco where Extra2value='" + s.Text + "'", myConn)
这篇关于使用c#在mysql中的空格的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文