OleDbException是由C#用户code未处理 [英] OleDbException was unhandled by user code in c#
问题描述
下面是CS文件:
public int CheckExisting(String sqlDbQry, String sTable)
{
Qry = sqlDbQry;
con = new OleDbConnection(connectionstr);
if (con.State == ConnectionState.Open)
con.Close();
con.Open();
cmd = new OleDbCommand(Qry, con);
dr = cmd.ExecuteReader();
while (dr.Read())
rQry = Convert.ToInt32(dr[0].ToString());
con.Close();
return rQry;
}
下面是我的另一个CS:
Here is my another cs:
protected void btnsub_Click(object sender, EventArgs e)
{
if (objAdmin.CheckExisting("SELECT COUNT(*) FROM registration where Email='" + Textemail.Text.Trim() + "'", "Temp") > 0)
{
lblmail.Text = "Your EmailId already Registered, Please Login!";
return;
}
if (objAdmin.CheckExisting("SELECT COUNT(*) FROM registration where Phone_num='" + Textphone.Text.Trim() + "'", "Temp") > 0)
{
lblmail.Text = "Mobile number already exists, Please Login!";
return;
}
}
当我输入的输入信息,并点击提交,它会显示错误这样的事情,
When i enter input details and hit submit, it shows error something like this,
下面是错误截图
谁能帮我解决这个问题?
Can anyone help me to fix this?
推荐答案
您手动构建从标有电子邮件文本框SQL字符串。电子邮件地址通常包含一个@。因为你正在建设一个原始SQL查询,你可以直接把@中查询。 的OleDb 间$ P $点,作为一个SQL参数,并期望你提供它,你都没有,这是什么原因造成的错误。你会得到一个类似的错误,如果你的任何文本框包含'(单引号)。
You are manually building a sql string from a textbox labeled "email". Email addresses usually contain an "@". Because you are building a raw sql query you are putting the "@" directly in to the query. OleDb interprets that as a SQL parameter, and expects you to supply it, which you are not, which is what is causing the error. You will get a similar error if any of your text boxes contain a ' (single quote).
您应该在使用的的OleDbCommand 和的 OleDbParameter 在你的参数,而不是发送原始字符串传递。这也将修复其他人所说的SQL注入攻击漏洞。
You should look in to using OleDbCommand and OleDbParameter to pass in your parameters instead of sending raw strings. This will also fix your sql injection attack vulnerability that others have mentioned.
这篇关于OleDbException是由C#用户code未处理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
