通过文本框从数据库中获取值 [英] Fetch The Value From DataBase Through Text Box

问题描述

HI

我期望的是，如果我在文本框"中编写任何Sql查询"作为select或其他任何内容，并且我将执行一个按钮事件，它应该在另一个标签或文本框上为我提供输出.
所以总
1.文本框:我在哪里写我的查询
2:将具有与execute相同的功能
3:将显示我已执行的查询输出的文本框

HI

What i am Expecting is that In My text Box if i write Any Sql Query As select or anything and I will perform one button event it should Give me the Output on another label or text box .
So on total
1.text box:Where i write My query
2:Will have same functionality as like execute
3:Text Box Where My executed query Output will be displayed

推荐答案

如果我将任何SQL查询写为select或其他内容，我将执行一个文本框按钮事件，它应该给我输出
我强烈不建议这种实施方式.这就像愿意请求SQL注入一样.
参考:
MSDN:SQL注入 [ SQL缓解措施:使用参数化查询 [ ^ ]


对于数据库操作，应通过ADO.NET使用参数化查询或SP.
参考:
在此处查找参数化查询及其用法:
MSDN:配置参数和参数数据类型(ADO.NET) [ MSDN:DataAdapter参数(ADO.NET) [ MSDN:SqlCommand.Parameters属性 [

My text Box if i write Any Sql Query As select or anything and I will perform one button event it should Give me the Output
I would strongly not suggest this implementation. This is like willingly asking for SQL Injection.
Refer:
MSDN: SQL Injection[^]
SQL Injection Mitigation: Using Parameterized Queries[^]


For database operations, you should use parametrized queries or SP''s via ADO.NET.
Refer:
Look here for parameterized query and it''s usage:
MSDN: Configuring Parameters and Parameter Data Types (ADO.NET)[^]
MSDN: DataAdapter Parameters (ADO.NET)[^]
MSDN: SqlCommand.Parameters Property [^]

好的，您可以执行此操作，但是我希望您先读到最后.首先，如何做到这一点:我前一段时间写了一篇有关如何编写T-SQL的文章.我编写了一个简单的应用程序，将您输入的SQL文本放入框中，并针对数据库运行了该文本.您可以获取应用程序的源代码，并在此处查看工作示例:

面向开发人员的SQL:基本数据检索 [
我会高度建议不要这样做.这是一个坏主意.如果您的用户可以运行SQL语句，那么他们可以执行一些操作，例如删除表或读取您不希望他们执行的其他信息，或者对数据库执行脚本.拜托，拜托，请不要这样做.找出一种更好的方法来完成您想做的事情.如果您这样做，我几乎可以保证您会后悔.即使您锁定正在运行的用户帐户，并且仅授予某些员工运行该帐户的权限，在某些时候，某个人会犯一个错误，而另一个人(有意或无意)会利用它.

OK, you can do this but I''m going to want you to read to the end before you do. First, how to do it: I wrote an article a while ago that dealt with how to write T-SQL. I wrote a simple application that took the SQL text you put into the box and it ran it against the database. You can get the source for the application, as well as see a working example here:

SQL for Developers: Basic Data Retrieval[^]

Note that this isn''t what the article is about, but there is a working example of what you want to do. The code will be basically the same for ASP.NET (right now it is just a WinForms app). That will get you through the "how" of doing this. Now for a short speech:

I would HIGHLY recommend against doing this. This is a bad idea. If your users can run SQL statements, then they can do things like dropping the table or reading other information that you weren''t expecting them to do or executing scripts against the database. Please, please, please don''t do this. Figure out a better way to accomplish what you want to do. If you do this, I can almost guarantee you will regret it down the road. Even if you lock down the user account it is running under and only give access to certain employees to run this, at some point someone will make a mistake and someone else will exploit it (intentionally or unintentionally).

这篇关于通过文本框从数据库中获取值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！