MySQL查询和C#中的多个串联 [英] Multiple concatenation in MySQL query and C#
问题描述
嘿伙计们对C#还是很陌生,我很失落。
我有两个下拉列表`ddlcountry`(国家)和'DdPetPist`(物种)国家选择在所选国家/地区填写Specie列表,其中包含可用的物品。
**代码低于**
Hey guys still very new to C# and am very lost.
I have two drop down list `ddlcountry`(Country) and `DdPetPist`(Specie) the country selection populates the Specie list with the specie avalible in the country selected.
**code bellow**
protected void Page_Load(object sender, EventArgs e)
{
if (!Page.IsPostBack)
{
MySqlCommand cd2 = new MySqlCommand("SELECT DISTINCT(Country) FROM Animals", cs);
cs.Open();
MySqlDataReader ddlCountry = cd2.ExecuteReader();
ddlcountry.DataSource = ddlCountry;
ddlcountry.DataValueField = "Country";
ddlcountry.DataTextField = "Country";
ddlcountry.DataBind();
cs.Close();
cs.Dispose();
}
}
protected void ddlcountry_SelectedIndexChanged(object sender, EventArgs e)
{
if (ddlcountry.Text != string.Empty)
{
MySqlCommand cd = new MySqlCommand(string.Format("SELECT * FROM Animals WHERE Country ='{0}'", ddlcountry.Text), cs);
cs.Open();
MySqlDataReader ddlSpecie = cd.ExecuteReader();
DdPetPist.DataSource = ddlSpecie;
DdPetPist.DataValueField = "Specie";
DdPetPist.DataTextField = "Specie";
DdPetPist.DataBind();
cs.Close();
cs.Dispose();
}
}
这很有效,我很满意,尽管我正在保护它免受sql注入。
**问题**
我知道尝试将信息打印成有两个查询的两个标签,这个我有问题。到目前为止,我的标签将打印出宠物价格和库存量等信息。但我似乎无法通过不同的国家/地区选择调整查询。
我已经在这几天了,任何帮助都会很棒,因为我对C#很新,还在学习。
标签代码和查询(不随国家/地区选择而变化)
This works very well and I am happy with it, although I am in the process of protecting it from sql injection.
**The problem**
I am know trying to print Information out into two labels with two query's, this I am having problems with. so far my label will print out information such as pet price and stock amounts. but I cant seem to get the query's to adjust with the different country selection.
I have been at this for a few days now and any help will be fantastic as I am very new to C# and still learning.
Label code and query's(not changing with different country selection)
protected void DropDownList1_SelectedIndexChanged(object sender, EventArgs e)
{
string selection_price = DdPetPist.SelectedValue;
string selection_stock = DdPetPist.SelectedValue;
string petPrice = string.Empty;
string available = string.Empty;
MySqlCommand cd_price = new MySqlCommand(String.Format("SELECT Specie_Price FROM Animals WHERE Specie ='{1}'", ddlcountry.Text, selection_price), cs);
MySqlCommand cd_available = new MySqlCommand(String.Format("SELECT Stock FROM Animals WHERE Specie ='{1}'", ddlcountry.Text, selection_stock), cs);
cs.Open();
petPrice = Convert.ToString(cd_price.ExecuteScalar());
available = Convert.ToString(cd_available.ExecuteScalar());
cs.Close();
PetPrice.Text = String.Format("Minimum Donation For A {0} Is £{1}.", selection_price, petPrice);
Availble.Text = String.Format("{0}'s Avalible {1} In Your Country.", selection_stock, available);
}
推荐答案
为什么你会忽略我对你上一个问题的回答?它可能会花费你太多,因为这是关于安全性。不仅这不是连接(这只是一件好事),但以这种方式进行查询绝对容易受到 SQL注入:
校正连接查询。 C#和MySQL [ ^ ]。
甚至不想使用保持使用字符串操作查询的想法 参数化语句。
-SA
Why would you ignore my answer to your previous question? It can cost you too much, because this is about security. Not only this is not concatenation (which is only a good thing), but making queries this way is absolutely vulnerable to SQL injection:
correcting concatenation query. C# and MySQL[^].
Don't even play with the idea of keeping to use string-manipulated queries instead of parametrized statements.
—SA
好的,不是完美,仍然易受SQL注入,我仍然倾向于如何修复,但为了使查询工作,我发现这个修复工作正常。
OK, not perfect and is still Susceptible to SQL injection that I am still leaning how to fix but to get the query to work I have found this fix works well.
MySqlCommand cd_price = new MySqlCommand(String.Format("SELECT Specie_Price FROM Animals WHERE Specie ='{1}' and Country ='{0}'", ddlcountry.SelectedItem.ToString().Trim(), selection_price), cs);
MySqlCommand cd_available = new MySqlCommand(String.Format("SELECT Stock FROM Animals WHERE Specie ='{1}' and Country ='{0}'", ddlcountry..SelectedItem.ToString().Trim(), selection_stock), cs);
这篇关于MySQL查询和C#中的多个串联的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
