C# 反序列化JSON并将对象保存到MySQL数据库
我正在尝试将POST请求中的对象保存到我的服务。请求正在发送JSON:C# 反序列化JSON并将对象保存到MySQL数据库,c#,mysql,asp.net,json,C#,Mysql,Asp.net,Json,我正在尝试将POST请求中的对象保存到我的服务。请求正在发送JSON: { "FirstName": "Ronnsie", "LastName": "Wesleeyson", "BirthPlace": "Zagreb", "Gender": "M", "OIB": "12345678901", "CurrentPlace": "Mauritius", "Department": "D_21510" } 我得到的错误如下: { "Message": "An error has occurred
{
"FirstName": "Ronnsie",
"LastName": "Wesleeyson",
"BirthPlace": "Zagreb",
"Gender": "M",
"OIB": "12345678901",
"CurrentPlace": "Mauritius",
"Department": "D_21510"
}
我得到的错误如下:
{
"Message": "An error has occurred.",
"ExceptionMessage": "Error executing the command 'INSERT INTO Employee (FirstName, LastName, BirthPlace, CurrentPlace, Gender, Department, OIB) VALUES (, , , Mauritius, 1, 21510, )'. The error is 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' , , Mauritius, 1, 21510, )' at line 1'." ...}
public long SaveEmployee(Employee employee)
{
string sqlString = String.Format(
"INSERT INTO Employee (FirstName, LastName, BirthPlace, CurrentPlace, Gender, Department, OIB) " +
"VALUES ({0}, {1}, {2}, {3}, {4}, {5}, {6})",
employee.FirstName,
employee.LastName,
employee.BirthPlace,
employee.CurrentPlace,
employee.Gender == EmployeeGender.M ? 1 : 0,
employee.Department.GetStringValue(),
employee.OIB
);
MySqlCommand cmd = ExecuteSqlCommand(sqlString);
return cmd.LastInsertedId;
}
MySqlCommand ExecuteSqlCommand(string sqlString)
{
try
{
// execute the SQL command
MySqlCommand cmd = new MySqlCommand(sqlString, conn);
cmd.ExecuteNonQuery();
return cmd;
}
catch (MySqlException e)
{
// log the error
throw new Exception(
String.Format("Error executing the command '{0}'. The error is '{1}'.",
sqlString, e.Message));
}
}
现在,请求点击此处的控制器:
[HttpPost]
[Route("")]
public void Post([FromBody] Employee employee)
{
// saving id for the debugging purposes
long id = persistence.SaveEmployee(employee);
}
而SaveEmployee功能如下所示:
{
"Message": "An error has occurred.",
"ExceptionMessage": "Error executing the command 'INSERT INTO Employee (FirstName, LastName, BirthPlace, CurrentPlace, Gender, Department, OIB) VALUES (, , , Mauritius, 1, 21510, )'. The error is 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' , , Mauritius, 1, 21510, )' at line 1'." ...}
public long SaveEmployee(Employee employee)
{
string sqlString = String.Format(
"INSERT INTO Employee (FirstName, LastName, BirthPlace, CurrentPlace, Gender, Department, OIB) " +
"VALUES ({0}, {1}, {2}, {3}, {4}, {5}, {6})",
employee.FirstName,
employee.LastName,
employee.BirthPlace,
employee.CurrentPlace,
employee.Gender == EmployeeGender.M ? 1 : 0,
employee.Department.GetStringValue(),
employee.OIB
);
MySqlCommand cmd = ExecuteSqlCommand(sqlString);
return cmd.LastInsertedId;
}
MySqlCommand ExecuteSqlCommand(string sqlString)
{
try
{
// execute the SQL command
MySqlCommand cmd = new MySqlCommand(sqlString, conn);
cmd.ExecuteNonQuery();
return cmd;
}
catch (MySqlException e)
{
// log the error
throw new Exception(
String.Format("Error executing the command '{0}'. The error is '{1}'.",
sqlString, e.Message));
}
}
我似乎在SQL语法中找不到任何错误。但是,反序列化枚举可能存在问题,因此它们如下所示:
部门代码.cs
[JsonConverter(typeof(StringEnumConverter))]
public enum EmployeeGender
{
M,
F
}
[JsonConverter(类型(StringEnumConverter))]
公共枚举部门代码
{
D_21510,
D_21520,
D_21540,
D_21570,
杜斯芬,
德乌斯尔克波
}
EmployeeGender.cs
[JsonConverter(typeof(StringEnumConverter))]
public enum EmployeeGender
{
M,
F
}
您知道这里的错误是什么吗?您不应该使用
string.Format
将参数放入这样的SQL语句中。除了您看到的bug之外,正如@SLaks所提到的,它还使您对SQL注入敞开了大门
使用将同时解决您的问题和SQL注入漏洞 您不应该使用
string.Format
将参数放入这样的SQL语句中。除了您看到的bug之外,正如@SLaks所提到的,它还使您对SQL注入敞开了大门
使用将同时解决您的问题和SQL注入漏洞 您有一个SQL注入漏洞。您应该始终参数化SQL,这也是查询出现语法错误的原因,因为您没有将字符串参数放在引号内。这大致就是您想要做的:
public long SaveEmployee(Employee employee)
{
string connStr = "server=localhost;user=root;database=world;port=3306;password=******;";
MySqlConnection conn = new MySqlConnection(connStr);
string sqlString = "INSERT INTO Employee (FirstName, LastName, BirthPlace, CurrentPlace, Gender, Department, OIB) " +
"VALUES (@FirstName,@LastName,@BirthPlace,@CurrentPlace,@Gender,@Department,@OIB)";
cmd.Parameters.AddWithValue(“@FirstName”, employee.FirstName);
cmd.Parameters.AddWithValue(“@LastName”, employee.LastName);
cmd.Parameters.AddWithValue(“@BirthPlace”, employee.BirthPlace);
cmd.Parameters.AddWithValue(“@CurrentPlace”, employee.CurrentPlace);
cmd.Parameters.AddWithValue(“@Gender”, employee.Gender == EmployeeGender.M ? 1 : 0);
cmd.Parameters.AddWithValue(“@Department”, employee.Department.GetStringValue());
cmd.Parameters.AddWithValue(“@OIB”, employee.OIB);
MySqlCommand cmd = ExecuteSqlCommand(sqlString, conn);
return cmd.LastInsertedId;
}
您有一个SQL注入漏洞。您应该始终参数化SQL,这也是查询出现语法错误的原因,因为您没有将字符串参数放在引号内。这大致就是您想要做的:
public long SaveEmployee(Employee employee)
{
string connStr = "server=localhost;user=root;database=world;port=3306;password=******;";
MySqlConnection conn = new MySqlConnection(connStr);
string sqlString = "INSERT INTO Employee (FirstName, LastName, BirthPlace, CurrentPlace, Gender, Department, OIB) " +
"VALUES (@FirstName,@LastName,@BirthPlace,@CurrentPlace,@Gender,@Department,@OIB)";
cmd.Parameters.AddWithValue(“@FirstName”, employee.FirstName);
cmd.Parameters.AddWithValue(“@LastName”, employee.LastName);
cmd.Parameters.AddWithValue(“@BirthPlace”, employee.BirthPlace);
cmd.Parameters.AddWithValue(“@CurrentPlace”, employee.CurrentPlace);
cmd.Parameters.AddWithValue(“@Gender”, employee.Gender == EmployeeGender.M ? 1 : 0);
cmd.Parameters.AddWithValue(“@Department”, employee.Department.GetStringValue());
cmd.Parameters.AddWithValue(“@OIB”, employee.OIB);
MySqlCommand cmd = ExecuteSqlCommand(sqlString, conn);
return cmd.LastInsertedId;
}
您有SQL注入漏洞。您在
值(,,毛里求斯,1,21510,)
中没有看到错误吗?这看起来像有效的SQL吗?您有一个SQL注入漏洞。您在值(,,毛里求斯,121510,)
中没有看到错误?这看起来像有效的SQL吗?