Warning: file_get_contents(/data/phpspider/zhask/data//catemap/8/mysql/70.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
C# 使用参数化更新命令更新多个mysql列_C#_Mysql_Sql Update_Parameterized Query - Fatal编程技术网
Fatal编程技术网
  • csharp/
  • C# 使用参数化更新命令更新多个mysql列

C# 使用参数化更新命令更新多个mysql列

c# mysql

C# 使用参数化更新命令更新多个mysql列,c#,mysql,sql-update,parameterized-query,C#,Mysql,Sql Update,Parameterized Query,在我的应用程序中,我想使用update命令更新多个MySQL列。我用下面的代码进行了尝试,但我知道它确实不安全。因为它导致了SQL注入攻击。但是我不知道如何使用参数编写查询来更新多个MySQL列 这是我的代码: string constring = string.Format("datasource='{0}';port='{1}';database='{2}';username=claimsprologin;password=xxxxxxxxxxxxxxxx;Connect Timeout=1

在我的应用程序中,我想使用update命令更新多个MySQL列。我用下面的代码进行了尝试,但我知道它确实不安全。因为它导致了SQL注入攻击。但是我不知道如何使用参数编写查询来更新多个MySQL列

这是我的代码:

string constring = string.Format("datasource='{0}';port='{1}';database='{2}';username=claimsprologin;password=xxxxxxxxxxxxxxxx;Connect Timeout=180;Command Timeout=180", serveriplable.Text, portno.Text, databasenamelable.Text);
string Query = "update claimloans set loannumber= '" + this.loannumbertextbox.Text.Trim() + " ', pool = '" + this.loanpooltextbox.Text.Trim() + "' , disblid = '" + this.disbidtextbox.Text.Trim() + "' , category = '" + this.categorytxtbox.Text.Trim() + " ', subcacategory = '" + this.subcategorytxtbox.Text.Trim() + " ', invoice = '" + this.invoicenumbertextbox.Text.Trim() + " ', invoicedate = '" + this.invoicedatetextbox.Text.Trim() + " ', docs = '" + this.docscombobox.Text.Trim() + "' , where username = '" + this.usernamelable.Text.Trim() + "' ;";
MySqlConnection conwaqDatabase = new MySqlConnection(constring);
MySqlCommand cmdwaqDatabase = new MySqlCommand(Query, conwaqDatabase);
MySqlDataReader myreader;

try {
    conwaqDatabase.Open();
    myreader = cmdwaqDatabase.ExecuteReader();
    while (myreader.Read()) { }

    MessageBox.Show("Credential informations are updated");

    conwaqDatabase.Close();
}

catch {

}
你可以用这样的东西。在sql命令中添加占位符,然后在运行ExecuteReader之后在中添加参数值

string constring = string.Format("datasource='{0}';port='{1}';database='{2}';username=claimsprologin;password=gfx)C#G$aD3bL`@;Connect Timeout=180;Command Timeout=180", serveriplable.Text, portno.Text, databasenamelable.Text);
string Query = "update claimloans set loannumber= @loannumbertextbox, pool = @loanpooltextbox, disblid = @disbidtextbox, category = @categorytxtbox, subcacategory = @subcategorytxtbox, invoice = @invoicenumbertextbox, invoicedate = @invoicedatetextbox, docs = @docscombobox, where username = @usernamelable;";
MySqlConnection conwaqDatabase = new MySqlConnection(constring);
MySqlCommand cmdwaqDatabase = new MySqlCommand(Query, conwaqDatabase);

cmdwaqDatabase .Parameters.AddWithValue("@loannumbertextbox", this.loannumbertextbox.Text.Trim());
为什么不使用参数化查询?