Warning: file_get_contents(/data/phpspider/zhask/data//catemap/2/csharp/332.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
C# 反序列化JSON并将对象保存到MySQL数据库_C#_Mysql_Asp.net_Json - Fatal编程技术网
Fatal编程技术网
  • csharp/
  • C# 反序列化JSON并将对象保存到MySQL数据库

C# 反序列化JSON并将对象保存到MySQL数据库

c# mysql asp.net json

C# 反序列化JSON并将对象保存到MySQL数据库,c#,mysql,asp.net,json,C#,Mysql,Asp.net,Json,我正在尝试将POST请求中的对象保存到我的服务。请求正在发送JSON: { "FirstName": "Ronnsie", "LastName": "Wesleeyson", "BirthPlace": "Zagreb", "Gender": "M", "OIB": "12345678901", "CurrentPlace": "Mauritius", "Department": "D_21510" } 我得到的错误如下: { "Message": "An error has occurred

我正在尝试将POST请求中的对象保存到我的服务。请求正在发送JSON:

{
"FirstName": "Ronnsie",
"LastName": "Wesleeyson",
"BirthPlace": "Zagreb",
"Gender": "M",
"OIB": "12345678901",
"CurrentPlace": "Mauritius",
"Department": "D_21510"
}
我得到的错误如下:

{
"Message": "An error has occurred.",
"ExceptionMessage": "Error executing the command 'INSERT INTO Employee (FirstName, LastName, BirthPlace, CurrentPlace, Gender, Department, OIB) VALUES (, , , Mauritius, 1, 21510, )'. The error is 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' , , Mauritius, 1, 21510, )' at line 1'." ...}

    public long SaveEmployee(Employee employee)
    {
        string sqlString = String.Format(
            "INSERT INTO Employee (FirstName, LastName, BirthPlace, CurrentPlace, Gender, Department, OIB) " + 
            "VALUES ({0}, {1}, {2}, {3}, {4}, {5}, {6})",
            employee.FirstName,
            employee.LastName,
            employee.BirthPlace,
            employee.CurrentPlace,
            employee.Gender == EmployeeGender.M ? 1 : 0,
            employee.Department.GetStringValue(),
            employee.OIB
        );

        MySqlCommand cmd = ExecuteSqlCommand(sqlString);
        return cmd.LastInsertedId;
    }

    MySqlCommand ExecuteSqlCommand(string sqlString)
    {
        try
        {
            // execute the SQL command
            MySqlCommand cmd = new MySqlCommand(sqlString, conn);
            cmd.ExecuteNonQuery();

            return cmd;
        }
        catch (MySqlException e)
        {
            // log the error
            throw new Exception(
                String.Format("Error executing the command '{0}'. The error is '{1}'.",
                             sqlString, e.Message));
        }
    }
现在,请求点击此处的控制器:

    [HttpPost]
    [Route("")]
    public void Post([FromBody] Employee employee)
    {
        // saving id for the debugging purposes
        long id = persistence.SaveEmployee(employee);
    }
SaveEmployee功能如下所示:

{
"Message": "An error has occurred.",
"ExceptionMessage": "Error executing the command 'INSERT INTO Employee (FirstName, LastName, BirthPlace, CurrentPlace, Gender, Department, OIB) VALUES (, , , Mauritius, 1, 21510, )'. The error is 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' , , Mauritius, 1, 21510, )' at line 1'." ...}

    public long SaveEmployee(Employee employee)
    {
        string sqlString = String.Format(
            "INSERT INTO Employee (FirstName, LastName, BirthPlace, CurrentPlace, Gender, Department, OIB) " + 
            "VALUES ({0}, {1}, {2}, {3}, {4}, {5}, {6})",
            employee.FirstName,
            employee.LastName,
            employee.BirthPlace,
            employee.CurrentPlace,
            employee.Gender == EmployeeGender.M ? 1 : 0,
            employee.Department.GetStringValue(),
            employee.OIB
        );

        MySqlCommand cmd = ExecuteSqlCommand(sqlString);
        return cmd.LastInsertedId;
    }

    MySqlCommand ExecuteSqlCommand(string sqlString)
    {
        try
        {
            // execute the SQL command
            MySqlCommand cmd = new MySqlCommand(sqlString, conn);
            cmd.ExecuteNonQuery();

            return cmd;
        }
        catch (MySqlException e)
        {
            // log the error
            throw new Exception(
                String.Format("Error executing the command '{0}'. The error is '{1}'.",
                             sqlString, e.Message));
        }
    }
我似乎在SQL语法中找不到任何错误。但是,反序列化枚举可能存在问题,因此它们如下所示:

部门代码.cs

[JsonConverter(typeof(StringEnumConverter))]
    public enum EmployeeGender
    {
        M,
        F
    }
[JsonConverter(类型(StringEnumConverter))] 公共枚举部门代码 { D_21510, D_21520, D_21540, D_21570, 杜斯芬, 德乌斯尔克波 }

EmployeeGender.cs

[JsonConverter(typeof(StringEnumConverter))]
    public enum EmployeeGender
    {
        M,
        F
    }
您知道这里的错误是什么吗?

您不应该使用
string.Format
将参数放入这样的SQL语句中。除了您看到的bug之外,正如@SLaks所提到的,它还使您对SQL注入敞开了大门

使用将同时解决您的问题和SQL注入漏洞

您不应该使用
string.Format
将参数放入这样的SQL语句中。除了您看到的bug之外,正如@SLaks所提到的,它还使您对SQL注入敞开了大门

使用将同时解决您的问题和SQL注入漏洞

您有一个SQL注入漏洞。您应该始终参数化SQL,这也是查询出现语法错误的原因,因为您没有将字符串参数放在引号内。这大致就是您想要做的:

public long SaveEmployee(Employee employee)
    {
string connStr = "server=localhost;user=root;database=world;port=3306;password=******;";
MySqlConnection conn = new MySqlConnection(connStr);
        string sqlString = "INSERT INTO Employee (FirstName, LastName, BirthPlace, CurrentPlace, Gender, Department, OIB) " + 
            "VALUES (@FirstName,@LastName,@BirthPlace,@CurrentPlace,@Gender,@Department,@OIB)";

cmd.Parameters.AddWithValue(“@FirstName”, employee.FirstName);
cmd.Parameters.AddWithValue(“@LastName”, employee.LastName);
cmd.Parameters.AddWithValue(“@BirthPlace”, employee.BirthPlace);
cmd.Parameters.AddWithValue(“@CurrentPlace”, employee.CurrentPlace);
cmd.Parameters.AddWithValue(“@Gender”, employee.Gender == EmployeeGender.M ? 1 : 0);
cmd.Parameters.AddWithValue(“@Department”, employee.Department.GetStringValue());
cmd.Parameters.AddWithValue(“@OIB”, employee.OIB);

        MySqlCommand cmd = ExecuteSqlCommand(sqlString, conn);
        return cmd.LastInsertedId;
    }
您有一个SQL注入漏洞。您应该始终参数化SQL,这也是查询出现语法错误的原因,因为您没有将字符串参数放在引号内。这大致就是您想要做的:

public long SaveEmployee(Employee employee)
    {
string connStr = "server=localhost;user=root;database=world;port=3306;password=******;";
MySqlConnection conn = new MySqlConnection(connStr);
        string sqlString = "INSERT INTO Employee (FirstName, LastName, BirthPlace, CurrentPlace, Gender, Department, OIB) " + 
            "VALUES (@FirstName,@LastName,@BirthPlace,@CurrentPlace,@Gender,@Department,@OIB)";

cmd.Parameters.AddWithValue(“@FirstName”, employee.FirstName);
cmd.Parameters.AddWithValue(“@LastName”, employee.LastName);
cmd.Parameters.AddWithValue(“@BirthPlace”, employee.BirthPlace);
cmd.Parameters.AddWithValue(“@CurrentPlace”, employee.CurrentPlace);
cmd.Parameters.AddWithValue(“@Gender”, employee.Gender == EmployeeGender.M ? 1 : 0);
cmd.Parameters.AddWithValue(“@Department”, employee.Department.GetStringValue());
cmd.Parameters.AddWithValue(“@OIB”, employee.OIB);

        MySqlCommand cmd = ExecuteSqlCommand(sqlString, conn);
        return cmd.LastInsertedId;
    }
您有SQL注入漏洞。您在
值(,,毛里求斯,1,21510,)
中没有看到错误吗?这看起来像有效的SQL吗?您有一个SQL注入漏洞。您在
值(,,毛里求斯,121510,)
中没有看到错误?这看起来像有效的SQL吗?