此功能有效,因为我按用户ID搜索:
private void showList_Click(object sender, EventArgs e)
{
int id = 0;
for (int i = 0; i <= sqlClient.Count("UserList"); i++)
{
Dictionary<string, string> dik = sqlClient.Select("UserList", "userid = " + id);
var lines = dik.Select(kv => kv.Key + ": " + kv.Value.ToString());
userList.AppendText(string.Join(Environment.NewLine, lines));
userList.AppendText(Environment.NewLine);
userList.AppendText("--------------------------------------");
id++;
}
}
此功能不起作用,因为我通过电子邮件搜索:
private void login_Click(object sender, EventArgs e)
{
string email = lemail.Text;
Dictionary<string, string> dik = sqlClient.Select("UserList", "firstname = " + email);
var lines = dik.Select(kv => kv.Key + ": " + kv.Value.ToString());
logged.AppendText(string.Join(Environment.NewLine, lines));
}
这是我点击登录按钮时收到的错误消息:
您的SQL语法有错误;检查手册 对应于您的MySQL服务器版本,以便使用正确的语法 在第1行'@ aol.com'附近
我在数据库中搜索的电子邮件是“aces@aol.com”,没有引号。 我总是相信错误信息@符号引起冲突,因为我知道这是一个特殊的角色,但我很难找出要搜索的短语来帮助我。
此外,这是被调用的函数:
public Dictionary<string, string> Select(string table, string WHERE)
{
//This methods selects from the database, it retrieves data from it.
//You must make a dictionary to use this since it both saves the column
//and the value. i.e. "age" and "33" so you can easily search for values.
//Example: SELECT * FROM names WHERE name='John Smith'
// This example would retrieve all data about the entry with the name "John Smith"
//Code = Dictionary<string, string> myDictionary = Select("names", "name='John Smith'");
//This code creates a dictionary and fills it with info from the database.
string query = "SELECT * FROM " + table + " WHERE " + WHERE + "";
Dictionary<string, string> selectResult = new Dictionary<string, string>();
if (this.Open())
{
MySqlCommand cmd = new MySqlCommand(query, conn);
MySqlDataReader dataReader = cmd.ExecuteReader();
try
{
while (dataReader.Read())
{
for (int i = 0; i < dataReader.FieldCount; i++)
{
selectResult.Add(dataReader.GetName(i).ToString(), dataReader.GetValue(i).ToString());
}
}
dataReader.Close();
}
catch { }
this.Close();
return selectResult;
}
else
{
return selectResult;
}
}
我的数据库表名为“UserList”
按顺序排列的字段如下:
用户ID,电子邮件,密码,姓氏,名字
非常感谢任何帮助。这个网站很棒!
答案 0 :(得分:0)
您的电子邮件地址存储在名字字段中?
将其更改为您的电子邮件字段
private void login_Click(object sender, EventArgs e)
{
string email = lemail.Text;
Dictionary<string, string> dik = sqlClient.Select("UserList", "YOUR_EMAIL_FIELD = " + email);
var lines = dik.Select(kv => kv.Key + ": " + kv.Value.ToString());
logged.AppendText(string.Join(Environment.NewLine, lines));
}
另外,请查看SQL注入并使用参数化查询。
答案 1 :(得分:0)
我认为问题源于字符串值周围缺少单引号 我可以建议在您的电子邮件值中添加简单的引号,例如
Dictionary<string, string> dik = sqlClient.Select("UserList",
"firstname = '" + email + "'");
但这对你的问题来说真是一个坏办法。
真正的改变应该是通过参数列表来执行查询,并避免所有这些混乱的字符串引号和SQL注入漏洞。
但是,这需要更改Select方法以及调用它的方式
public Dictionary<string, string> Select(string table, string WHERE, MySqlParameter[] prms)
{
string query = "SELECT * FROM " + table + " WHERE " + WHERE + "";
Dictionary<string, string> selectResult = new Dictionary<string, string>();
if (this.Open())
{
MySqlCommand cmd = new MySqlCommand(query, conn);
cmd.Parameters.AddRange(prms);
MySqlDataReader dataReader = cmd.ExecuteReader();
try
{
......
}
catch { }
this.Close();
return selectResult;
}
else
{
return selectResult;
}
}
呼叫应该是
List<MySqlParameter> prms = new List<MySqlParameter>()
MySqlParameter p = new MySqlParameter("@mail", SqlDbType.VarChar).Value = lemail.Text;
prms.Add(p);
Dictionary<string, string> dik = sqlClient.Select("UserList", "firstname = @mail", prms.ToArray());
您的代码中还有其他关键点,尽管与您当前的异常无关。
1)如果这个sqlClient.Count计算你的表的记录,那么行
for (int i = 0; i <= sqlClient.Count("UserList"); i++)
为一个元素循环超过需要。只需i < sqlClient.Count
2)在Select方法中,您吞下了异常,这非常糟糕,因为这个关键方法中的每个失败都将永远不会被知道。