C# 在查询中使用文本值
我似乎是个白痴,试图用C语言对SQL数据库执行简单的查询。 这是我正在尝试执行的查询:C# 在查询中使用文本值,c#,sql,C#,Sql,我似乎是个白痴,试图用C语言对SQL数据库执行简单的查询。 这是我正在尝试执行的查询: _query = "SELECT PC.SN, User.Name + ' ' + User.Family as AssignedTo " + "FROM PC LEFT JOIN Users ON PC.USERID = Users.ID " + "WHERE PC.Type = '" + AssetTypeCB.SelectedItem.ToString()
_query = "SELECT PC.SN, User.Name + ' ' + User.Family as AssignedTo " +
"FROM PC LEFT JOIN Users ON PC.USERID = Users.ID " +
"WHERE PC.Type = '" + AssetTypeCB.SelectedItem.ToString() + "'";
你知道可能是什么问题吗?你的查询似乎有误。您需要将User.Name更改为Users.Name等。正确的查询为:
_query = "SELECT PC.SN, Users.Name + ' ' + Users.Family as AssignedTo " +
"FROM PC LEFT JOIN Users ON PC.USERID = Users.ID " +
"WHERE PC.Type = '" + AssetTypeCB.SelectedItem.ToString() + "'";
另外,请允许我建议对代码使用参数化查询。我可以告诉你为什么你应该 您的查询似乎有误。您需要将User.Name更改为Users.Name等。正确的查询为:
_query = "SELECT PC.SN, Users.Name + ' ' + Users.Family as AssignedTo " +
"FROM PC LEFT JOIN Users ON PC.USERID = Users.ID " +
"WHERE PC.Type = '" + AssetTypeCB.SelectedItem.ToString() + "'";
另外,请允许我建议对代码使用参数化查询。我可以告诉你为什么你应该 我认为最好在查询中添加参数
using System;
using System.Data;
using System.Data.SqlClient;
class ParamDemo
{
static void Main()
{
// conn and reader declared outside try
// block for visibility in finally block
SqlConnection conn = null;
SqlDataReader reader = null;
string inputCity = "London";
try
{
// instantiate and open connection
conn = new
SqlConnection("Server=(local);DataBase=Northwind;Integrated Security=SSPI");
conn.Open();
// don't ever do this
// SqlCommand cmd = new SqlCommand(
// "select * from Customers where city = '" + inputCity + "'";
// 1. declare command object with parameter
SqlCommand cmd = new SqlCommand(
"select * from Customers where city = @City", conn);
// 2. define parameters used in command object
SqlParameter param = new SqlParameter();
param.ParameterName = "@City";
param.Value = inputCity;
// 3. add new parameter to command object
cmd.Parameters.Add(param);
// get data stream
reader = cmd.ExecuteReader();
// write each record
while(reader.Read())
{
Console.WriteLine("{0}, {1}",
reader["CompanyName"],
reader["ContactName"]);
}
}
finally
{
// close reader
if (reader != null)
{
reader.Close();
}
// close connection
if (conn != null)
{
conn.Close();
}
}
}
}
我认为最好向查询中添加参数
using System;
using System.Data;
using System.Data.SqlClient;
class ParamDemo
{
static void Main()
{
// conn and reader declared outside try
// block for visibility in finally block
SqlConnection conn = null;
SqlDataReader reader = null;
string inputCity = "London";
try
{
// instantiate and open connection
conn = new
SqlConnection("Server=(local);DataBase=Northwind;Integrated Security=SSPI");
conn.Open();
// don't ever do this
// SqlCommand cmd = new SqlCommand(
// "select * from Customers where city = '" + inputCity + "'";
// 1. declare command object with parameter
SqlCommand cmd = new SqlCommand(
"select * from Customers where city = @City", conn);
// 2. define parameters used in command object
SqlParameter param = new SqlParameter();
param.ParameterName = "@City";
param.Value = inputCity;
// 3. add new parameter to command object
cmd.Parameters.Add(param);
// get data stream
reader = cmd.ExecuteReader();
// write each record
while(reader.Read())
{
Console.WriteLine("{0}, {1}",
reader["CompanyName"],
reader["ContactName"]);
}
}
finally
{
// close reader
if (reader != null)
{
reader.Close();
}
// close connection
if (conn != null)
{
conn.Close();
}
}
}
}
此查询使您面临SQL注入攻击。您应该将其转换为准备好的语句,但是实际的错误是由于您使用了表名Users。你已经选择了。。。如果User应该是Users,则不会出现错误的列名错误的原因是User是保留关键字,因此SQL Server将给您该特定错误,除非您用[]分隔表名。下面的代码应该可以修复它
string _query = "SELECT PC.SN, Users.Name + ' ' + Users.Family as AssignedTo FROM PC LEFT JOIN Users ON PC.USERID = Users.ID WHERE PC.Type = @Type";
SqlConnection conn = new SqlConnection("YOUR_CONNECTION_STRING");
SqlCommand cmd = new SqlCommand(_query, connection);
cmd.Parameters.AddWithValue("Type", AssetTypeCB.SelectedItem.Value);
DataTable dt = new DataTable();
SqlDataAdapter adp = new SqlDataAdapter(cmd);
adp.Fill(dt);
string _query = "SELECT PC.SN, [User].Name + ' ' + [User].Family as AssignedTo FROM PC LEFT JOIN [User] ON PC.USERID = [User].ID WHERE PC.Type = @Type";
SqlConnection conn = new SqlConnection("YOUR_CONNECTION_STRING");
SqlCommand cmd = new SqlCommand(_query, connection);
cmd.Parameters.AddWithValue("Type", AssetTypeCB.SelectedItem.ToString());
DataTable dt = new DataTable();
SqlDataAdapter adp = new SqlDataAdapter(cmd);
adp.Fill(dt);
'; DELETE FROM Users; --
SELECT PC.SN, User.Name + ' ' + User.Family as AssignedTo
FROM PC LEFT JOIN Users ON PC.USERID = Users.ID
WHERE PC.Type = ''; DELETE FROM Users; --'
此语句完全有效,并且给定用户的权限级别,这可能会从Users表中删除所有记录。使用准备好的语句有助于阻止这种情况发生。此查询使您面临SQL注入攻击。您应该将其转换为准备好的语句,但是实际的错误是由于您使用了表名Users。你已经选择了。。。如果User应该是Users,则不会出现错误的列名错误的原因是User是保留关键字,因此SQL Server将给您该特定错误,除非您用[]分隔表名。下面的代码应该可以修复它
string _query = "SELECT PC.SN, Users.Name + ' ' + Users.Family as AssignedTo FROM PC LEFT JOIN Users ON PC.USERID = Users.ID WHERE PC.Type = @Type";
SqlConnection conn = new SqlConnection("YOUR_CONNECTION_STRING");
SqlCommand cmd = new SqlCommand(_query, connection);
cmd.Parameters.AddWithValue("Type", AssetTypeCB.SelectedItem.Value);
DataTable dt = new DataTable();
SqlDataAdapter adp = new SqlDataAdapter(cmd);
adp.Fill(dt);
string _query = "SELECT PC.SN, [User].Name + ' ' + [User].Family as AssignedTo FROM PC LEFT JOIN [User] ON PC.USERID = [User].ID WHERE PC.Type = @Type";
SqlConnection conn = new SqlConnection("YOUR_CONNECTION_STRING");
SqlCommand cmd = new SqlCommand(_query, connection);
cmd.Parameters.AddWithValue("Type", AssetTypeCB.SelectedItem.ToString());
DataTable dt = new DataTable();
SqlDataAdapter adp = new SqlDataAdapter(cmd);
adp.Fill(dt);
'; DELETE FROM Users; --
SELECT PC.SN, User.Name + ' ' + User.Family as AssignedTo
FROM PC LEFT JOIN Users ON PC.USERID = Users.ID
WHERE PC.Type = ''; DELETE FROM Users; --'
此语句完全有效,并且给定用户的权限级别,这可能会从Users表中删除所有记录。使用准备好的语句有助于阻止这种情况发生。SQL注入的好例子:出于传播目的:使用参数化查询。请参阅以了解为什么上面的注释是好的。SQL注入的好示例:出于传播目的:使用参数化查询。请参阅上面的注释为什么是好的。非常感谢您的帮助和指导。它现在正在工作:非常感谢您的帮助和指导。它现在正在工作: