必须声明标量变量"@UserName"; [英] Must declare the scalar variable "@UserName"
问题描述
我不断收到我不明白的错误. 必须声明标量变量"@varname"
I keep getting an error that i dont understand. Must declare the scalar variable "@varname"
数十小时的研究,没有成功地尝试了多种解决方案.
Tens of hours of research, tried multiple solutions without sucess.
我的目标是创建一个使用2个文本框和一个按钮的登录页面,该按钮将根据Sql数据库中存储的信息检查用户是否退出.
My aim is to create a login page that uses 2 textboxes, and a button, where it checks if the user exits based on the information stored in a Sql Database.
这是我认为问题出在哪里:
This is where i think the problem is coming from:
private bool DBConnection(string userName, string password)
{
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
//string cmdString = ("SELECT UserName, Password FROM Users WHERE UserName ='" + userName +
// "'AND Password ='" + password + "'"); //REMOVED AS THIS IS PRONE TO SQL INJECTIONS
string cmdString = ("SELECT * FROM Users WHERE UserName = @uname AND Password = @pw");
SqlCommand cmd = new SqlCommand(cmdString, conn);
cmd.Parameters.Add("uname", SqlDbType.VarChar).Value = userName;
cmd.Parameters.Add("pw", SqlDbType.VarChar).Value = password;
DataSet loginCredentials = new DataSet();
SqlDataAdapter dataAdapter;
try
{
if (conn.State.Equals(ConnectionState.Closed))
{
conn.Open();
dataAdapter = new SqlDataAdapter(cmdString, conn);
dataAdapter.Fill(loginCredentials);
conn.Close();
if (loginCredentials != null)
{
if (loginCredentials.Tables[0].Rows.Count > 0)
{
return true;
}
else
{
lblMessage.Text = "Incorrect Username or Password";
lblMessage.Visible = true;
}
}
}
}
catch (Exception err)
{
lblMessage.Text = err.Message.ToString() + " Error connecting to the Database // " + cmd.Parameters.Count;
lblMessage.Visible = true;
return false;
}
return false;
}
特别是在"dataAdapter.Fill(loginCredentials);"所在的位置正在执行.
specifically where the "dataAdapter.Fill(loginCredentials);" is being executed.
已注释掉的语句成功登录了具有正确用户名和密码的用户,但据我所知这是不安全的,因为它容易受到sql注入的攻击,这就是为什么我要参数化sql语句的原因.
the commented out statement works successfully in logging in a user with correct username and password, but as far as i know is not secure, as its vulnerable to sql injections and this is why i'm trying to parameterize the sql statement.
错误截图如下:
任何帮助将不胜感激.
推荐答案
您应该将sqlcommand传递给dataAdapter,因为在您的情况下sqlcommand(cmd)具有比仅命令文本更多的信息,并且连接字符串.您的代码可能如下所示:
You should pass the sqlcommand to the dataAdapter because in your case the sqlcommand (cmd) has more information than mere commandtext and connectionstring. Your code may look like the following:
private bool DBConnection(string userName, string password)
{
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
//string cmdString = ("SELECT UserName, Password FROM Users WHERE UserName ='" + userName +
// "'AND Password ='" + password + "'"); //REMOVED AS THIS IS PRONE TO SQL INJECTIONS
string cmdString = ("SELECT * FROM Users WHERE UserName = @uname AND Password = @pw");
SqlCommand cmd = new SqlCommand(cmdString, conn);
cmd.Parameters.Add("uname", SqlDbType.VarChar).Value = userName;
cmd.Parameters.Add("pw", SqlDbType.VarChar).Value = password;
DataSet loginCredentials = new DataSet();
SqlDataAdapter dataAdapter;
try
{
if (conn.State.Equals(ConnectionState.Closed))
{
conn.Open();
dataAdapter = new SqlDataAdapter(cmd);
dataAdapter.Fill(loginCredentials);
conn.Close();
if (loginCredentials != null)
{
if (loginCredentials.Tables[0].Rows.Count > 0)
{
return true;
}
else
{
lblMessage.Text = "Incorrect Username or Password";
lblMessage.Visible = true;
}
}
}
}
catch (Exception err)
{
lblMessage.Text = err.Message.ToString() + " Error connecting to the Database // " + cmd.Parameters.Count;
lblMessage.Visible = true;
return false;
}
return false;
}
这篇关于必须声明标量变量"@UserName";的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!