C#字符串格式参数 [英] C# String Format Paramters

问题描述

大家好，

我正在使用以下字符串格式语句进行查询.

字符串 sql = 字符串 .Format( "< REMOVED>" ，系统. 转换 .ToInt32(Session [ ; IDUser"; ])));

当我将此字符串格式用于sql字符串时.

我得到sql =<<< REMOVED>".作为sql查询.您能否告诉我什么是< REMOVED>"?


谢谢，
Sandeep Jain.

Hello All,

I am having one query with the below String Format Statement.

string sql = String.Format("<REMOVED>", System.Convert.ToInt32(Session["IDUser"]));

when I use this string format for sql string.

I get sql ="<REMOVED>"  as sql Query. can you please tell me what "<REMOVED>" stands for?


Thanks,
Sandeep Jain.

推荐答案

根据您的代码，您将获得应有的结果.如果您尝试使用此方法构建SQL查询(这很糟糕，因为它可能会使您进入SQL注入)，则需要执行以下操作:

Based on your code,  you're getting the results that you should. If you're trying to build a SQL query using this method (which is bad because it might open you up for SQL injection), you'll need to do something like this:

<身体>

字符串 sql 字符串

string sql = String.Format("SELECT * from [Users] Where [userId]='{0}'", System.Convert.ToInt32(Session["IDUser"]));

这篇关于C#字符串格式参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！