检查数据库文件中是否存在 ID 时出错
我正在尝试检查数据库中是否已存在某个 ID。如果没有,我希望用户将 id 更改为其他内容。
所有这些都是在textobx的TextChanged函数中完成的。
问题是我收到一个错误,由于查询看起来不错,我不确定为什么会看到这个:The SELECT 语句包含拼写错误或丢失的保留字或参数名称,或者标点符号不正确。
执行检查的方法:
private bool DoesIDExist(int dataID, string filePath)
{
HashPhrase hash = new HashPhrase();
DataTable temp = new DataTable();
string hashShortPass = hash.ShortHash(pass);
bool result = false;
// Creating a connection string. Using placeholders make code
// easier to understand.
string connectionString =
@"Provider=Microsoft.ACE.OLEDB.12.0; Data Source={0};
Persist Security Info=False; Jet OLEDB:Database Password={1};";
string sql = string.Format
("SELECT FROM PersonalData WHERE [DataID] = {0}", dataID);
using (OleDbConnection connection = new OleDbConnection())
{
// Creating command object.
// Using a string formatting let me to insert data into
// place holders I have used earlier.
connection.ConnectionString =
string.Format(connectionString, filePath, hashShortPass);
using (OleDbCommand command = new OleDbCommand(sql, connection))
{
// Creating command object.
// Using a string formatting let me to insert data into
// place holders I have used earlier.
connection.ConnectionString =
string.Format(connectionString, filePath, hashShortPass);
try
{
// Open database connection.
connection.Open();
using (OleDbDataReader read = command.ExecuteReader())
{
// Checking if there is any data in the file.
if (read.HasRows)
{
// Reading information from the file.
while (read.Read())
{
if (read.GetInt32(0) == dataID)
return true;
}
}
}
}
catch (Exception ex)
{
MessageBox.Show("Error: " + ex.Message);
}
}
}
return result;
}
I am trying to check if certain ID already exists in database. When it doesn't, I want user to change the id to something else.
All this is done in TextChanged function of textobx.
The problem is that I am getting an error, and since query looks good I am not sure why i see this: The SELECT statement includes a reserved word or an argument name that is misspelled or missing, or the punctuation is incorrect.
Method which does the check:
private bool DoesIDExist(int dataID, string filePath)
{
HashPhrase hash = new HashPhrase();
DataTable temp = new DataTable();
string hashShortPass = hash.ShortHash(pass);
bool result = false;
// Creating a connection string. Using placeholders make code
// easier to understand.
string connectionString =
@"Provider=Microsoft.ACE.OLEDB.12.0; Data Source={0};
Persist Security Info=False; Jet OLEDB:Database Password={1};";
string sql = string.Format
("SELECT FROM PersonalData WHERE [DataID] = {0}", dataID);
using (OleDbConnection connection = new OleDbConnection())
{
// Creating command object.
// Using a string formatting let me to insert data into
// place holders I have used earlier.
connection.ConnectionString =
string.Format(connectionString, filePath, hashShortPass);
using (OleDbCommand command = new OleDbCommand(sql, connection))
{
// Creating command object.
// Using a string formatting let me to insert data into
// place holders I have used earlier.
connection.ConnectionString =
string.Format(connectionString, filePath, hashShortPass);
try
{
// Open database connection.
connection.Open();
using (OleDbDataReader read = command.ExecuteReader())
{
// Checking if there is any data in the file.
if (read.HasRows)
{
// Reading information from the file.
while (read.Read())
{
if (read.GetInt32(0) == dataID)
return true;
}
}
}
}
catch (Exception ex)
{
MessageBox.Show("Error: " + ex.Message);
}
}
}
return result;
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我认为您的选择缺少一些您想要提取的列?
不应该是这样的吗:
I think your select is missing some columns you want to extract out??
Shouldn't it be something like:
您缺少选择的内容
更改为类似
And: 您可以按照构建查询的方式接受 SQL 注入。
You're missing what to select
Change to something like
And: you're open to SQL-Injection the way you build your query.
您需要在 SELECT 子句中指定一些内容。我猜:
You need to specify something in the
SELECTclause. I guess:问题在于这行代码:
您需要指定要选择的内容。示例:
SELECT *、SELECT [MyColumn]、SELECT TOP 1 *等。根据您的要求,类似的内容似乎是您想要的正在寻找:其他信息:
如果在网络上使用此方法,例如从查询字符串中提取 ID,那么您将面临 SQL 注入攻击< /强>。稍微修改一下你的代码就可以解决这个问题:
The issue is with this line of code:
You need to specify what you want to select. Example:
SELECT *,SELECT [MyColumn],SELECT TOP 1 *, etc. Based on your requirements, something like seems to be what you're looking for:Additional Information:
If this method is being used on the web, say pulling in an ID from the query string, then you're leaving yourself open to SQL injection attack. Slightly modifiying your code would fix the problem: