麻烦的SQL语法 [英] Trouble with SQL syntax
本文介绍了麻烦的SQL语法的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
下面是我的代码..我试图得到它来验证数据库。
通/用户名= Admin
{
///<总结> $ B $为MainWindow.xaml
///< b ///交互逻辑; /总结>
公共部分类主窗口:窗口
{
公共主窗口()
{
的InitializeComponent();
}
私人无效main_B_Signup_Click(对象发件人,RoutedEventArgs E)
{
RegWindow RWindow对象=新RegWindow();
rWindow.Show();
this.Close();
}
私人无效main_B_login_Click(对象发件人,RoutedEventArgs E)
{
//连接到数据库
的SqlConnection loginConn =新的SqlConnection(服务器=本地主机;+Trusted_Connection =是;+=数据库生产;+连接超时= 30);
的SqlCommand CMD =新的SqlCommand('+ this.Main_T_Username.Text +和密码='+ this.Main_T_Password.Text +';从用户那里用户名=选择*', loginConn);
//的SqlCommand CMD =新的SqlCommand(从用户选择*其中用户名='用户名@'和密码='@密码;,loginConn);
//cmd.Parameters.Add(new的SqlParameter(用户名,this.Main_T_Username.Text));
//cmd.Parameters.Add(new的SqlParameter(密码,this.Main_T_Password.Text));
loginConn.Open();
SqlDataReader的RDR = cmd.ExecuteReader();
字符串的用户名= NULL;
如果(rdr.HasRows)
{
,而(rdr.Read())
{
=用户名RDR [用户名]。的ToString ();
}
loginConn.Close();
MessageBox.Show(干得好!);
}
,否则
{
MessageBox.Show(WrongPass!);
loginConn.Close();
}
}
}
}
但我得到的错误是附近的关键字用户
块引用
语法不正确>
但表称为
用户
并有列用户名
和密码
解决方案用户是的reserved字。要使用它作为一个架构对象标识符,围绕着它用方括号:
SELECT * FROM [用户]
这是一般好的做法与模式对象标识符做到这一点呢。 ,这使他们在查询中更明确
此外,你是:
- 用户输入直接连接的可执行代码,这是一个SQL注入漏洞。使用查询参数来代替。
- 存储用户密码为明文,即 极不负责任的以您的用户。用户密码应以单向散列被遮蔽,并应的从不的可检索。
Here is my code.. I'm trying to get it to validate against the database.
pass/user = Admin
{ /// <summary> /// Interaction logic for MainWindow.xaml /// </summary> public partial class MainWindow : Window { public MainWindow() { InitializeComponent(); } private void main_B_Signup_Click(object sender, RoutedEventArgs e) { RegWindow rWindow = new RegWindow(); rWindow.Show(); this.Close(); } private void main_B_login_Click(object sender, RoutedEventArgs e) { //connect to the database SqlConnection loginConn = new SqlConnection("server=localhost;"+ "Trusted_Connection=yes;" + "database=Production; " + "connection timeout=30"); SqlCommand cmd = new SqlCommand("Select *from User where Username=' " + this.Main_T_Username.Text + " ' and Password=' " + this.Main_T_Password.Text + " ' ;", loginConn); //SqlCommand cmd = new SqlCommand("Select *from User where Username='@Username' and Password='@Password';", loginConn); //cmd.Parameters.Add(new SqlParameter("Username", this.Main_T_Username.Text)); //cmd.Parameters.Add(new SqlParameter("Password", this.Main_T_Password.Text)); loginConn.Open(); SqlDataReader rdr = cmd.ExecuteReader(); string username = null; if (rdr.HasRows) { while (rdr.Read()) { username = rdr["Username"].ToString(); } loginConn.Close(); MessageBox.Show("Well done!"); } else { MessageBox.Show("WrongPass!"); loginConn.Close(); } } } }
but the error I get is
Incorrect syntax near the keyword 'User'
But the table is called
User
and there are columnsUsername
andPassword
解决方案"User" is a reserved word in SQL Server. To use it as an identifier for a schema object, surround it with square braces:
SELECT * FROM [User]
It's generally good practice to do this with schema object identifiers anyway. It makes them more explicit in the query.
Additionally, you are:
- directly concatenating user input as executable code, which is a SQL injection vulnerability. Use query parameters instead.
- storing user passwords as plain text, which is grossly irresponsible to your users. User passwords should be obscured with a one-way hash and should never be retrievable.
这篇关于麻烦的SQL语法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文