C# OLEDBEException:条件表达式中的数据类型不匹配该怎么办?
System.Data.OleDb.OLEDBEException:条件表达式中的数据类型不匹配。 围绕这条线:C# OLEDBEException:条件表达式中的数据类型不匹配该怎么办?,c#,oledb,C#,Oledb,System.Data.OleDb.OLEDBEException:条件表达式中的数据类型不匹配。 围绕这条线: public string checkUsername(string username, string password) { string result = "invalid username/password"; string connectionString = "Provider
public string checkUsername(string username, string password)
{
string result = "invalid username/password";
string connectionString =
"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" + Server.MapPath("~\\myDB\\database.mdb");
string queryString = "SELECT * FROM Table WHERE [username]='" + username + "' AND [password]='" + password + "';";
using (OleDbConnection connection = new OleDbConnection(connectionString))
{
connection.Open();
OleDbCommand command = connection.CreateCommand();
command.CommandText = queryString;
OleDbDataReader reader = command.ExecuteReader();
try
{
while (reader.Read())
{
result = "";
}
}
finally
{
reader.Close();
connection.Close();
}
}
return result;
}
OleDbDataReader reader = command.ExecuteReader();
try
{
while (reader.Read())
刚刚学了几个月的c#,但仍然需要指导。按照SQL语句的方式,您对SQL注入非常开放。它应该参数化,因为您可以选择拍摄。。。把这当作你的陈述
cmd.Parameters.AddWithValue("@password", txtBoxPassword.Text);
SELECT * FROM Table WHERE [username]=@parmUserName AND [password]=@parmPassword
cmd.Parameters.AddWithValue ( "@parmUserName", username);
cmd.Parameters.AddWithValue ( "@parmPassword", password);