SQL查询语法未在ASP.NET C#中选择值 [英] SQL query syntax not picking value in ASP.NET c#

问题描述

我正在为我的公司开发一个网站，并在数据查询中编写了以下内容:

Hi,

I am developing a website for my company and in a data query I wrote the following:

OleDbCommand cmd14 = new OleDbCommand("SELECT USER_NAME FROM EMPLOYEE WHERE USER_NAME LIKE ''"+ lbl_Username_1.Text+"*''", con);

运行时的此命令生成一个查询，该查询将在我使用的MS Access数据库上处理:
从USER_NAME所在的雇员中选择USER_NAME，例如"vivek.sharma *"

现在，此查询在我的数据库中手动运行时返回2个值，但是在我的网站运行中，它不会产生任何结果.

请提出建议.

This commend on runtime generates a query to be processed on MS access db which i am using as:
SELECT USER_NAME FROM EMPLOYEE WHERE USER_NAME LIKE ''vivek.sharma*''

now this query on running manually in my database returns 2 values, but in my website run, it does not result anything.

please suggest.

推荐答案

首先，您在这里做的很不好:用UI数据组成查询.
这存在SQL注入的潜在危险.请参阅:
http://en.wikipedia.org/wiki/SQL_injection [ http://en.wikipedia.org/wiki/Prepared_statement [ http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx [ ^ ].

根据此通配符为％"或"_"，而不是"*":
http://www.w3schools.com/sql/sql_like.asp [ http://www.w3schools.com/sql/sql_wildcards.asp [

To start from, you are doing really bad thing here: compose a query out of UI data.
This presents a potential danger of SQL injection. Please see:
http://en.wikipedia.org/wiki/SQL_injection[^].

You should use parametrized commands (in this case, parametrized query) instead. Please see:
http://en.wikipedia.org/wiki/Prepared_statement[^],
http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx[^].

The wildcards are ''%'' or ''_'', not ''*'', according to this:
http://www.w3schools.com/sql/sql_like.asp[^],
http://www.w3schools.com/sql/sql_wildcards.asp[^].

—SA

这篇关于SQL查询语法未在ASP.NET C#中选择值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！