我正在尝试创建一个从mysql数据库(db)返回值数组的程序。程序将接收用户输入,并将其拆分为子串,之后将子串与db进行比较,它将返回一个值数组。但是我仍然无法让它正常工作。我的循环功能或标签是否有问题? 这是程序代码:
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using MySql.Data.MySqlClient;
namespace jawiFin
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
MySqlConnection myConn = new MySqlConnection("datasource=localhost;port=3306;username=root;password=971476");
MySqlCommand mcd;
MySqlDataReader mdr;
string s;
private void button1_Click(object sender, EventArgs e)
{
string strValue = textBox1.Text;
string[] strArray = strValue.Split(',',' ');
foreach (object obj in strArray)
{
myConn.Open();
s = "select * from database01.employeeinfo where name='" + this.textBox1.Text + "';";
mcd = new MySqlCommand(s, myConn);
mdr = mcd.ExecuteReader();
if (mdr.Read())
{
trans.Text += mdr.GetString("surname");
}
else
{
MessageBox.Show("error");
}
mdr.Close();
myConn.Close();
}
}
}
}
答案 0 :(得分:3)
想象一下,this.textBox1.Text包含带撇号的名称,比如O'Connor。现在你的SQL有语法错误:
select * from database01.employeeinfo where name='O'Connor'
-- ^^^^^^^
bobby';delete database01.employeeinfo;--
了解这会如何删除您的employeeinfo表格?这称为SQL注入攻击。别这么做!改为使用参数化的SQL语句:
s = "select * from database01.employeeinfo where name=@name";
mcd = new MySqlCommand(s, myConn);
mcd.Parameters.Add("@name", SqlDbType.String);
mcd.Parameters["@name"].Value = this.textBox1.Text;
答案 1 :(得分:0)
在我不知道您认为错误的情况下,我看起来好像这可能是您的问题:
此代码:
s = "select * from database01.employeeinfo where name='" + this.textBox1.Text + "';";
......实际应该是这样的:
s = "select * from database01.employeeinfo where name='" + ((string) obj ) + "';";
顺便提一下,您的代码中还有其他一些错误,例如当您已经知道obj成为object时string和{{1}}。