Question

帮助请问...如何更正此代码？

SELECT Products.ProductID, Products.Name, Categories.CatName, " +
       "Products.Description, Products.Price FROM Products INNER JOIN Categories ON " +
       "Products.CatID = Categories.CatID ORDER BY Products.Price DESC WHERE " + column + " LIKE '%" + keyword + "%'";

Answer 1

order by应该在where子句

之后

"SELECT Products.ProductID, Products.Name, Categories.CatName, " +
"Products.Description, Products.Price FROM Products INNER JOIN Categories ON " +
"Products.CatID = Categories.CatID " +
"WHERE " + column + " LIKE '%" + keyword + "%'";
"ORDER BY Products.Price DESC"

正如其他评论所说，您应该考虑使用SQLParameters来避免 SQL注入

Answer 2

您想要的反注入SQL代码？

如下：

"SELECT Products.ProductID, Products.Name, Categories.CatName, " +
"Products.Description, Products.Price FROM Products INNER JOIN Categories ON " +
"Products.CatID = Categories.CatID WHERE " + column + 
"LIKE CONCAT('%'," + keyword + ",'%')" +
"ORDER BY Products.Price DESC";

如何使用内部联接更正搜索代码？

2 个答案: