使用查询字符串进行SQL查询的问题 [英] Problem with sql query using Query String

问题描述

string query="Select * from Products where CategoryID='" + Request.QueryString["ID"] + "' Or ProductID ='"+Request.QueryString["ID"]+"' or ProductName='"+Request.QueryString["Name"]+"'";

我在productcatalog.aspx中使用上述查询.

我正在使用这部分(

i am using the above query in productcatalog.aspx.

i am using this part (

ProductName='"+Request.QueryString["Name"]+"'"

)以显示使用一个文本框条目和另一个页面中的按钮..

但是我想通过在SQL查询中使用like来显示结果

像

) to show the results of search using the a textbox entry and a button in some other page..

but i want to show the results by using like in sql query

like

ProductName like '"+Request.QueryString["Name"]+"%'"

因此，如果我以这种方式编写查询:

so if i write the query in this way:

string query="Select * from Products where CategoryID='" + Request.QueryString["ID"] + "' Or CategoryID='" + Request.QueryString["ID"] + "' or ProductName LIKE '"+Request.QueryString["Name"]+"%'"

搜索结果将是正确的，但其他两个查询字符串，例如

the result of the search will be correct but the other two Querystrings e.g

CategoryID='" + Request.QueryString["ID"] + "'

和

CategoryID='" + Request.QueryString["ID"] + "'

不会给出期望的结果

推荐答案

如果您数据库中的CategoryID是整数，则将无法使用:

If CategoryID in your database is an integer, this won''t work:

CategoryID=''" + Request.QueryString["ID"] + "''

您不需要单引号.

You won''t need the single quotes.

CategoryID=" + Request.QueryString["ID"] + "

但是说真的，构建查询的方式是等待等待的SQL注入:

http://en.wikipedia.org/wiki/SQL_injection [

But seriously, the way you''re building your query is SQL injection waiting to happen:

http://en.wikipedia.org/wiki/SQL_injection[^]

I''d seriously look at parameterizing your queries.

请，请不要那样做.您的代码为SQL注入攻击而尖叫.
将Querystring参数读入单独的变量中，并验证值是否在可接受的范围内，如果查询字符串中不存在默认值，则对它们应用默认值.然后，一旦变量被视为有效，则从子组件中创建您的sql查询变量.永远不要直接将未经验证的用户输入应用于查询.

Please, please don''t do it like this. Your code is screaming for a sql injection attack.
Read the Querystring arguments into separate variable and validate that the values fall in an acceptable range and apply defaults to them if they do not exist in the querystring. Then, once the variables are considered valid create your sql query variable from the sub components. Never, ever apply non validated user input into a query directly.

您始终可以调试代码，将此查询复制到后端，然后在其中运行.
它将帮助您找到问题的确切根源.

You can always debug your code, copy this query to the backend and then run it there.
It will help you get to the exact root of the problem.

这篇关于使用查询字符串进行SQL查询的问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！