从asp.net执行MySql查询
为什么此命令不能正确执行:从asp.net执行MySql查询,asp.net,mysql,Asp.net,Mysql,为什么此命令不能正确执行: using (MySqlCommand myCommand = new MySqlCommand("Update jobs SET poster_email = '@1', url = '@2' WHERE company = '@3'; ", myConn)) { myCommand.Parameters.AddWithValue("@1", email); myCommand.Parameters.AddWithVa
using (MySqlCommand myCommand = new MySqlCommand("Update jobs SET poster_email = '@1', url = '@2' WHERE company = '@3'; ", myConn))
{
myCommand.Parameters.AddWithValue("@1", email);
myCommand.Parameters.AddWithValue("@2", url);
myCommand.Parameters.AddWithValue("@3", company);
myConn.Open();
myCommand.ExecuteNonQuery();
}
但当我用实际值替换@3时,它会起作用:
using (MySqlCommand myCommand = new MySqlCommand("Update jobs SET poster_email = '@1', url = '@2' WHERE company = 'MyCompany'; ", myConn))
{
myCommand.Parameters.AddWithValue("@1", email);
myCommand.Parameters.AddWithValue("@2", url);
myConn.Open();
myCommand.ExecuteNonQuery();
}
为company变量传入的值与第二个示例中硬编码的值相同。我已经使用了调试器,以确保company变量被添加为参数,并且它是我期望的值。即:无空格和修剪()
知道我做错了什么吗
更新:
这也是可行的,但是我不得不担心Sql注入
string myQuery = string.Format("Update jobs SET poster_email = '{0}', url = '{1}' WHERE company = '{2}'; ", email, url, company);
using (MySqlCommand myCommand = new MySqlCommand(myQuery, myConn))
{
myConn.Open();
myCommand.ExecuteNonQuery();
}
我相信对于MySQL命令,您希望使用“?”而不是“@”:
using (MySqlCommand myCommand = new MySqlCommand("Update jobs SET poster_email = '?1', url = '?2' WHERE company = '?3'; ", myConn))
{
myCommand.Parameters.AddWithValue("?1", email);
myCommand.Parameters.AddWithValue("?2", url);
myCommand.Parameters.AddWithValue("?3", company);
myConn.Open();
myCommand.ExecuteNonQuery();
}