使用参数避免SQL注入?

时间:2014-04-30 14:19:45

标签: c# mysql winforms parameters

我最近调整了我的代码以避免SQL注入并获得了添加参数的帮助,但现在代码对我来说是半外来的,并且想知道MySqlCommand.Parameters需要什么对象引用

MySqlParameter parameter = new MySqlParameter();
        parameter.ParameterName = "@userid";
        parameter.MySqlDbType = MySqlDbType.NVarChar;
        parameter.Direction = ParameterDirection.Input;
        parameter.Value = this.userid_txt.Text;
        parameter.Value = this.email_txt.Text;
        parameter.Value = this.passone_txt.Text;
        parameter.Value = this.passtwo_txt.Text;
        parameter.Value = this.lastname_txt.Text;
        parameter.Value = this.firstname_txt.Text;

        string Query = "insert into userdatabase.users (userid, email, passone, passtwo, lastname, firstname) values(@userid,@email,@passone,@passtwo,@lastname_txt,@firstname)";
        MySqlCommand.Parameters.AddWithValue("@userid", this.userid_txt.Text);
        MySqlCommand.Parameters.AddWithValue("@email", this.email_txt.Text);
        MySqlCommand.Parameters.AddWithValue("@passone", this.passone_txt.Text);
        MySqlCommand.Parameters.AddWithValue("@passtwo", this.passtwo_txt.Text);
        MySqlCommand.Parameters.AddWithValue("@lastname", this.lastname_txt.Text);
        MySqlCommand.Parameters.AddWithValue("@firstname", this.firstname_txt.Text);

        MySqlConnection conDataBase = new MySqlConnection();
        MySqlCommand cmdDataBase = new MySqlCommand(Query, conDataBase);
        MySqlCommand cmd = new MySqlCommand(Query, conDataBase);

        cmd.ExecuteNonQuery()

我有错误的状态

  

'MySql.Data.MySqlClient.MySqlDbType'不包含'NVarChar'的定义

和主

  

非静态字段,方法或属性'MySql.Data.MySqlClient.MySqlCommand.Parameters.get'

需要对象引用

我对使用MySql相对较新,所以感谢任何帮助

编辑:一旦我点击连接到我的数据库的注册

,新代码会导致致命错误 
MySqlCommand cmdDataBase = new MySqlCommand();
        MySqlParameter parameter = new MySqlParameter();

        string constring = "datasource=127.0.0.1;port=3306;username=root;password=welcome";
        string Query = "insert into userdatabase.users (userid, email, passone, passtwo, lastname, firstname) values(@userid,@email,@passone,@passtwo,@lastname_txt,@firstname)";
        cmdDataBase.Parameters.Add("@userid", MySqlDbType.VarChar).Value = userid_txt.Text;
        cmdDataBase.Parameters.Add("@email", MySqlDbType.VarChar).Value = email_txt.Text;
        cmdDataBase.Parameters.Add("@passone", MySqlDbType.VarChar).Value = passone_txt.Text;
        cmdDataBase.Parameters.Add("@passtwo", MySqlDbType.VarChar).Value = passtwo_txt.Text;
        cmdDataBase.Parameters.Add("@lastname", MySqlDbType.VarChar).Value = lastname_txt.Text;
        cmdDataBase.Parameters.Add("@firstname", MySqlDbType.VarChar).Value = firstname_txt.Text;


        MySqlConnection conDataBase = new MySqlConnection(constring);
        MySqlCommand cmd = new MySqlCommand(Query, conDataBase);

        try {
            conDataBase.Open();
            cmd.ExecuteNonQuery();
            MessageBox.Show("Welcome to iDSTEM!");
        }
            catch (Exception ex)
        {
                MessageBox.Show(ex.Message);
            }

1 个答案:

答案 0 :(得分:1)

您需要命令本身 - 您将在以后构建它:

MySqlCommand cmdDataBase = new MySqlCommand(Query, conDataBase);

将其移动得更高,然后使用:

cmdDataBase.Parameters.AddWithValue(...);

目前尚不清楚为什么要创建parameter变量,因为您从未使用它。

我实际上不会使用AddWithValue,而是使用:

cmdDataBase.Parameters.Add("@userid", MySqlDbType.VarChar).Value = userid_txt.Text;
// etc

MySQL的类型不是NVarChar,因此MySqlDbType也没有,因此您的错误 - 我强烈怀疑您只想要VarChar。您无需指定方向 - 默认情况下隐式“输入”。

此外,您应该使用using语句进行连接和命令:

using (var connection = new MySqlConnection(...))
{
    using (var command = new MySqlCommand(sql, connection))
    {
        ...
    }
}
相关问题
最新问题