C# 如何将select值存储到会话变量中？_C#_Mysql_Asp.net

C# 如何将select值存储到会话变量中？

c# mysql asp.net

C# 如何将select值存储到会话变量中？,c#,mysql,asp.net,C#,Mysql,Asp.net,我希望能够将值存储在空字符串中，我有一个select语句来检索这些值，但我不确定如何将它们存储在“sessionVar”和“sessionVarAddress”中。这是我的密码： MySqlCommand select = new MySqlCommand("SELECT personID, address_addressID from person WHERE email='" + emailAddress + "' and password = '" + passwordR + "'", c

我希望能够将值存储在空字符串中，我有一个select语句来检索这些值，但我不确定如何将它们存储在“sessionVar”和“sessionVarAddress”中。这是我的密码：

MySqlCommand select = new MySqlCommand("SELECT personID, address_addressID from person WHERE email='" + emailAddress + "' and password = '" + passwordR + "'", connect); //brings back the person ID if user details are correct

using (MySqlDataReader reader = select.ExecuteReader()) //executes the SQL statement
{
    if (reader.HasRows)
    {
        string sessionVarAddress = "";
        Session["address_addressId"] = sessionVarAddress;

        string sessionVar = "";                  
        Session["personID"] = sessionVar;

        // other code
    }
}

您应该读取MySqlDataReader中包含的值，并将它们分配给会话

if (reader.Read())
{
    Session["address_addressId"] = reader["address_addressId"].ToString();
    Session["personID"] = reader["personID"].ToString()
}

表示，请尽快做一个关于如何使用参数化查询的搜索。您的代码非常脆弱，容易受到黑客攻击（sql注入），如果有人在传递给数据库的值（解析）中使用单引号，则很容易崩溃

string commandText = @"SELECT personID, address_addressID 
                       from person WHERE email=@email and password = @pwd"; 
MySqlCommand select = new MySqlCommand(commandText, connect); 
select.Parameters.Add("@email", MySqlDbType.VarChar).Value = emailAddress;
select.Parameters.Add("@pwd", MySqlDbType.VarChar).Value = passwordR;
using (MySqlDataReader reader = select.ExecuteReader()) 
{
   .....