的MySqlCommand Command.Parameters.Add已经过时了 [英] MySqlCommand Command.Parameters.Add is obsolete

问题描述

我做在Visual Studio 2010的C＃Windows窗体应用程序。

I'm making an C# windows Form Application in visual studio 2010.

这是应用程序连接到MySQL数据库，我想在其中插入数据。

That application is connecting to an mysql database, and I want to insert data in it.

现在我必须code的这一部分：

Now do I have this part of code:

MySqlConnection connection;
string cs = @"server=server ip;userid=username;password=userpass;database=databse";
connection = new MySqlConnection(cs);
connection.Open();

MySqlCommand command = new MySqlCommand();
string SQL = "INSERT INTO `twMCUserDB` (`mc_userName`, `mc_userPass`, `tw_userName`, `tw_userPass`) VALUES ('@mcUserName', '@mcUserPass', '@twUserName', '@twUserPass')";
command.CommandText = SQL;
command.Parameters.Add("@mcUserName", mcUserNameNew);
command.Parameters.Add("@mcUserPass", mcUserPassNew);
command.Parameters.Add("@twUserName", twUserNameNew);
command.Parameters.Add("@twUserPass", twUserPassNew);
command.Connection = connection;
command.ExecuteNonQuery();
connection.Close();

连接的罚款。这一工程。

The connection is fine. That works.

我readed <一个href=\"http://stackoverflow.com/questions/7174792/does-using-parameterized-sqlcommand-make-my-program-immune-to-sql-injection\">here这是我现在有办法，是一种节约的方式做查询的。是否仍然正确？

I readed here that the way that I have now, is an save way to do query's. Is that still right?

现在到了真正的问题。有了上面code，我得到Visual Studio中的以下警告：

And now to the real question. With that code above, I get the following warning in visual studio:

'MySql.Data.MySqlClient.MySqlParameterCollection.Add(string, object)' is obsolete: '"Add(String parameterName, Object value) has been deprecated.  Use AddWithValue(String parameterName, Object value)"'

这是警告每parameters.add

That warning is for every parameters.add

和它不连工作的，因为这被插入的值是@mcUserName，@mcUserPass等，代替了变量mcUserNameNew等被保持的值...

And it isn't even working, because the values that are inserted are @mcUserName, @mcUserPass and so on, instead of the values that the variables mcUserNameNew and so on are holding...

所以我的问题是，我是不是做错了什么，什么是新的方式来SQL注入保存做一个查询？

So my question is, am I doing something wrong, and what is the new way to sql injection save do an query?

推荐答案

尝试 AddWithValue

command.Parameters.AddWithValue("@mcUserName", mcUserNameNew);
command.Parameters.AddWithValue("@mcUserPass", mcUserPassNew);
command.Parameters.AddWithValue("@twUserName", twUserNameNew);
command.Parameters.AddWithValue("@twUserPass", twUserPassNew);

和不带单引号包裹的占位符。

and don't wrap the placeholders with single quotes.

string SQL = "INSERT INTO `twMCUserDB` (`mc_userName`, `mc_userPass`, `tw_userName`, `tw_userPass`) VALUES (@mcUserName, @mcUserPass, @twUserName, @twUserPass)";

这篇关于的MySqlCommand Command.Parameters.Add已经过时了的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！