Request.form以逗号返回值

时间:2017-03-22 15:13:10

标签: mysql sql asp.net

当我运行此代码时:

string MySQL = "Select * From RegisterDatabase Where uName  = '" + Request.Form["username"] +"'";

它对我不起作用,所以我试着看看问题是什么,结果发现MySQL中有一个逗号。

Select * From RegisterDatabase Where uName  = 'Test,'

我该如何解决这个问题?

2 个答案:

答案 0 :(得分:2)

您的代码很容易SQL Injection attack

您希望像这样参数化查询 -

string query = "Select * From RegisterDatabase Where uName = @username";

// Remove "," from username
string username = Request.Form["username"].ToString().Replace(",", "");

MySqlCommand command = new MySqlCommand(query);
command.Parameters.AddWithValue("@username", username);

或者有些人使用?username代替@username

答案 1 :(得分:-1)

使用以下

Request.Form [" username"]。ToString()。替换(',','')。修剪();