C# - 网站 - SQL Select 语句
我想使用 select 语句来查找是否存在已存在的记录。我已将代码放在下面,但它在 dReader = comm.ExecuteReader(); 处引发错误我不确定为什么。有什么帮助吗?
string connString = "Data Source=KIMMY-MSI\\SQLEXPRESS;Initial Catalog=Northwind;Integrated Security=True";
SqlDataReader dReader;
SqlConnection conn = new SqlConnection(connString);
SqlCommand comm = new SqlCommand();
comm.Connection = conn;
comm.CommandText = "SELECT * FROM Customers WHERE CustomerID == " + txtID.Text;
comm.Connection.Open();
dReader = comm.ExecuteReader();
if (dReader.HasRows == true)
{
Response.Write("Exists");
}
错误:
Invalid Column Name (whatever I input)
它似乎正在寻找名为我输入的列,而不是寻找实际数据。
I want to use a select statement to find if there is a record that already exists. I've put the code below but it throws an error at the dReader = comm.ExecuteReader(); and i'm unsure why. Any help?
string connString = "Data Source=KIMMY-MSI\\SQLEXPRESS;Initial Catalog=Northwind;Integrated Security=True";
SqlDataReader dReader;
SqlConnection conn = new SqlConnection(connString);
SqlCommand comm = new SqlCommand();
comm.Connection = conn;
comm.CommandText = "SELECT * FROM Customers WHERE CustomerID == " + txtID.Text;
comm.Connection.Open();
dReader = comm.ExecuteReader();
if (dReader.HasRows == true)
{
Response.Write("Exists");
}
The error:
Invalid Column Name (whatever I input)
It seems to be looking for a column named what I input rather than looking for the actual data.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
将
==更改为=。这是无效的 SQL。此外,如果 txtID.Text 是非数字,则需要用单引号引起来。您不应该像这样构建 SQL,而应使用参数:
更多信息
C# using语句
SQL 参考
SQL 注入(为什么你应该参数化你的查询)
Change your
==to=. That is invalid SQL as it is.Also if txtID.Text is non-numeric then it needs to be in single quotes. You should not be constructing your SQL like this, instead use a parameter:
More Info
C# using statement
SQL reference
SQL injection (why you should parameterize your queries)
您的命令似乎有问题:
在 SQL 中,您不需要使用 == 运算符来确保某些内容与另一个内容相等。
尝试:
此外,您可能需要阅读有关 SQL 注入的信息,绑定值的方式是直接来自文本框值。这有一个巨大的安全漏洞,可能导致任意 sql 命令执行。
It looks like your command has an issue:
In SQL you don't need to use the == operator to ensure something is equal to another.
Try:
In addition, you might want to read up about SQL Injection, the way you are binding the value is directly from a textbox value. This has a huge security hole which could lead to arbitrary sql command execution.
更改此行:
更改为此行:
假设您的客户 ID 在数据库中为 int。
Change this line:
To this line:
Assuming that your customer id is int on the database.
SQL 中的等于运算符只是一个
=。另外,你真的不应该像这样连接 SQL 查询,你只是让自己面临 SQL 注入攻击< /a>.因此,将其更改为如下所示:
请参阅在 SQL 注入攻击阻止您之前阻止它们。
The equals operator in SQL is just a single
=.Also, you really shouldn't be concatenating SQL queries like that, you are just opening yourself up to SQL Injection attack. So change it to be like this:
See Stop SQL Injection Attacks Before They Stop You on MSDN.
您正在使用无效的 SQL。您命名将“==”更改为“=”。
您还应该考虑将
IDisposable对象包装在using语句中,以便正确处置非托管对象并正确关闭连接。最后,考虑在 SQL 中使用参数,而不是连接字符串,以避免 SQL 注入攻击:
You are using invalid SQL. You name to change "==" to "=".
You should also consider wrapping your
IDisposableobjects inusingstatements so that unmanaged objects are properly disposed of and connections are properly closed.Finally, think about using parameters in your SQL, instead of concatenating strings, to avoid SQL injection attacks: