C# 如何将select值存储到会话变量中?
我希望能够将值存储在空字符串中,我有一个select语句来检索这些值,但我不确定如何将它们存储在“sessionVar”和“sessionVarAddress”中。这是我的密码:C# 如何将select值存储到会话变量中?,c#,mysql,asp.net,C#,Mysql,Asp.net,我希望能够将值存储在空字符串中,我有一个select语句来检索这些值,但我不确定如何将它们存储在“sessionVar”和“sessionVarAddress”中。这是我的密码: MySqlCommand select = new MySqlCommand("SELECT personID, address_addressID from person WHERE email='" + emailAddress + "' and password = '" + passwordR + "'", c
MySqlCommand select = new MySqlCommand("SELECT personID, address_addressID from person WHERE email='" + emailAddress + "' and password = '" + passwordR + "'", connect); //brings back the person ID if user details are correct
using (MySqlDataReader reader = select.ExecuteReader()) //executes the SQL statement
{
if (reader.HasRows)
{
string sessionVarAddress = "";
Session["address_addressId"] = sessionVarAddress;
string sessionVar = "";
Session["personID"] = sessionVar;
// other code
}
}
您应该读取MySqlDataReader中包含的值,并将它们分配给会话
if (reader.Read())
{
Session["address_addressId"] = reader["address_addressId"].ToString();
Session["personID"] = reader["personID"].ToString()
}
表示,请尽快做一个关于如何使用参数化查询的搜索。您的代码非常脆弱,容易受到黑客攻击(sql注入),如果有人在传递给数据库的值(解析)中使用单引号,则很容易崩溃
string commandText = @"SELECT personID, address_addressID
from person WHERE email=@email and password = @pwd";
MySqlCommand select = new MySqlCommand(commandText, connect);
select.Parameters.Add("@email", MySqlDbType.VarChar).Value = emailAddress;
select.Parameters.Add("@pwd", MySqlDbType.VarChar).Value = passwordR;
using (MySqlDataReader reader = select.ExecuteReader())
{
.....