使用c＃在mysql中的空格 [英] Blank spaces in mysql using c#

问题描述

 MySqlCommand SelectCommand =  new  MySqlCommand（  select * from partsfinder.blancco其中'Extra2 value'=' + s.Text +  '，myConn）; 

您好，


我试图从mysql表中选择值，遗憾的是我的列名称有空格，如果我使用''输出到数据网格是0，你可以让我知道请问如何解决这个问题也尝试使用[]并且它不起作用:(



抱歉我的英文并感谢您的帮助

解决方案

使用返回打勾

`

而不是单引号

'

用于附上列名。

BTW，你不应该直接将参数注入到sql语句，因为它被打开到 SQL注入 [ ^ ]。

从一开始你的方法就错了。您永远不应该通过连接从UI获取的字符串来创建查询。相反，您需要使用参数化语句。请参阅： http://msdn.microsoft.com/en-us/library/ff648339.aspx。



如果你这样做，你的应用程序完全容易受到众所周知的漏洞利用： SQL注入。用户可以在UI中编写任何内容，包括一些SQL片段。你明白了吗？具体方法如下： http://xkcd.com/327 。



请查看我过去的答案：

在com.ExecuteNonQuery（）中更新EROR; ，

hi名称没有显示在名称中？。



现在 - 鼓......使用参数化语句也将解决空白空间的问题数据，以及混淆使用SQL语法的任何其他字符。 :-)

-SA

请重新命名列并使用前面的查询



MySqlCommand SelectCommand = new MySqlCommand（select * from partsfinder.blancco其中Extra2value =' + s.Text +'，myConn）

MySqlCommand SelectCommand = new MySqlCommand("select * from partsfinder.blancco where 'Extra2 value'='" + s.Text + "'", myConn);

Hello,

I ma trying to select value from mysql table unfortunately my columns names have got spaces and if I use '' output to data grid is 0 could you let me know please how to solve this issue tried to use [] as well and it did not work :(

sorry for my english and thank you for any help

解决方案

Use back tick

`

instead of single quote

' 

to enclose the column name.
BTW, you should not inject parameters directly into the sql statement as it is opened to SQL Injection[^].

Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements. Please see: http://msdn.microsoft.com/en-us/library/ff648339.aspx.

If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327.

Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.

And now — drums… using parametrized statements will also solve the "problem" of blanks spaces in data, as well as any other characters confusing your use of SQL syntax. :-)

—SA

kindly rename the column and use preceding below query

MySqlCommand SelectCommand = new MySqlCommand("select * from partsfinder.blancco where Extra2value='" + s.Text + "'", myConn)

这篇关于使用c＃在mysql中的空格的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！