C# 使用参数化更新命令更新多个mysql列
在我的应用程序中,我想使用update命令更新多个MySQL列。我用下面的代码进行了尝试,但我知道它确实不安全。因为它导致了SQL注入攻击。但是我不知道如何使用参数编写查询来更新多个MySQL列 这是我的代码:C# 使用参数化更新命令更新多个mysql列,c#,mysql,sql-update,parameterized-query,C#,Mysql,Sql Update,Parameterized Query,在我的应用程序中,我想使用update命令更新多个MySQL列。我用下面的代码进行了尝试,但我知道它确实不安全。因为它导致了SQL注入攻击。但是我不知道如何使用参数编写查询来更新多个MySQL列 这是我的代码: string constring = string.Format("datasource='{0}';port='{1}';database='{2}';username=claimsprologin;password=xxxxxxxxxxxxxxxx;Connect Timeout=1
string constring = string.Format("datasource='{0}';port='{1}';database='{2}';username=claimsprologin;password=xxxxxxxxxxxxxxxx;Connect Timeout=180;Command Timeout=180", serveriplable.Text, portno.Text, databasenamelable.Text);
string Query = "update claimloans set loannumber= '" + this.loannumbertextbox.Text.Trim() + " ', pool = '" + this.loanpooltextbox.Text.Trim() + "' , disblid = '" + this.disbidtextbox.Text.Trim() + "' , category = '" + this.categorytxtbox.Text.Trim() + " ', subcacategory = '" + this.subcategorytxtbox.Text.Trim() + " ', invoice = '" + this.invoicenumbertextbox.Text.Trim() + " ', invoicedate = '" + this.invoicedatetextbox.Text.Trim() + " ', docs = '" + this.docscombobox.Text.Trim() + "' , where username = '" + this.usernamelable.Text.Trim() + "' ;";
MySqlConnection conwaqDatabase = new MySqlConnection(constring);
MySqlCommand cmdwaqDatabase = new MySqlCommand(Query, conwaqDatabase);
MySqlDataReader myreader;
try {
conwaqDatabase.Open();
myreader = cmdwaqDatabase.ExecuteReader();
while (myreader.Read()) { }
MessageBox.Show("Credential informations are updated");
conwaqDatabase.Close();
}
catch {
}
你可以用这样的东西。在sql命令中添加占位符,然后在运行ExecuteReader之后在中添加参数值
string constring = string.Format("datasource='{0}';port='{1}';database='{2}';username=claimsprologin;password=gfx)C#G$aD3bL`@;Connect Timeout=180;Command Timeout=180", serveriplable.Text, portno.Text, databasenamelable.Text);
string Query = "update claimloans set loannumber= @loannumbertextbox, pool = @loanpooltextbox, disblid = @disbidtextbox, category = @categorytxtbox, subcacategory = @subcategorytxtbox, invoice = @invoicenumbertextbox, invoicedate = @invoicedatetextbox, docs = @docscombobox, where username = @usernamelable;";
MySqlConnection conwaqDatabase = new MySqlConnection(constring);
MySqlCommand cmdwaqDatabase = new MySqlCommand(Query, conwaqDatabase);
cmdwaqDatabase .Parameters.AddWithValue("@loannumbertextbox", this.loannumbertextbox.Text.Trim());
为什么不使用参数化查询?