我正在尝试检查数据库中是否已存在某些ID。如果没有,我希望用户将id更改为其他内容。
所有这一切都在textobx的TextChanged函数中完成。
问题是我收到错误,因为查询看起来不错,我不确定为什么我会看到这个:The SELECT statement includes a reserved word or an argument name that is misspelled or missing, or the punctuation is incorrect.
进行检查的方法:
private bool DoesIDExist(int dataID, string filePath)
{
HashPhrase hash = new HashPhrase();
DataTable temp = new DataTable();
string hashShortPass = hash.ShortHash(pass);
bool result = false;
// Creating a connection string. Using placeholders make code
// easier to understand.
string connectionString =
@"Provider=Microsoft.ACE.OLEDB.12.0; Data Source={0};
Persist Security Info=False; Jet OLEDB:Database Password={1};";
string sql = string.Format
("SELECT FROM PersonalData WHERE [DataID] = {0}", dataID);
using (OleDbConnection connection = new OleDbConnection())
{
// Creating command object.
// Using a string formatting let me to insert data into
// place holders I have used earlier.
connection.ConnectionString =
string.Format(connectionString, filePath, hashShortPass);
using (OleDbCommand command = new OleDbCommand(sql, connection))
{
// Creating command object.
// Using a string formatting let me to insert data into
// place holders I have used earlier.
connection.ConnectionString =
string.Format(connectionString, filePath, hashShortPass);
try
{
// Open database connection.
connection.Open();
using (OleDbDataReader read = command.ExecuteReader())
{
// Checking if there is any data in the file.
if (read.HasRows)
{
// Reading information from the file.
while (read.Read())
{
if (read.GetInt32(0) == dataID)
return true;
}
}
}
}
catch (Exception ex)
{
MessageBox.Show("Error: " + ex.Message);
}
}
}
return result;
}
答案 0 :(得分:3)
我认为你的选择缺少一些你想要提取的列?
string sql = string.Format
("SELECT FROM PersonalData WHERE [DataID] = {0}", dataID);
不应该是这样的:
string sql = string.Format
("SELECT * FROM PersonalData WHERE [DataID] = {0}", dataID);
答案 1 :(得分:2)
您需要在SELECT子句中指定一些内容。我想:
SELECT DataID FROM PersonalData WHERE ...
答案 2 :(得分:2)
你错过了选择的内容
string sql = string.Format
("SELECT FROM PersonalData WHERE [DataID] = {0}", dataID);
更改为
string sql = string.Format
("SELECT * FROM PersonalData WHERE [DataID] = {0}", dataID);
并且:您可以像构建查询一样对SQL-Injection开放。
答案 3 :(得分:1)
问题在于这行代码:
string sql = string.Format
("SELECT FROM PersonalData WHERE [DataID] = {0}", dataID);
您需要指定要选择的内容。示例:SELECT *,SELECT [MyColumn],SELECT TOP 1 *等。根据您的要求,您可能会找到类似的内容:
string sql = string.Format
("SELECT COUNT(*) AS UserCount FROM PersonalData WHERE [DataID] = {0}", dataID);
其他信息:
如果在网络上使用此方法,比如从查询字符串中提取ID,那么您将自己打开 SQL注入攻击。略微修改代码可以解决问题:
string sql = "SELECT FROM PersonalData WHERE [DataID] = @DataID";
using (OleDbCommand command = new OleDbCommand(sql, connection))
{
command.Parameters.AddWithValue("@DataID", dataID);
}