使用mysql在C#中创建注册表单
[英]Creating Registration form in c# with mysql
问题描述
Hello so im creating a registration form in C# with MySql so it connects to the database and everything but i get this error Napaka pri registraciji Unknown column " in 'field list' the translation of Napaka pri registraciji means Error at registering i just have it in my language. I get this error when i insert data in textboxes and press Register.. 
您好,我用MySql在C#中创建注册表格,因此它连接到数据库和所有内容,但我收到此错误Napaka pri registraciji Unknown column " in 'field list'中Napaka pri registraciji的翻译意味着注册时出错,我只在其中拥有它我的语言。在文本框中插入数据并按注册时,出现此错误。
the code: 编码:
private void btn_Reg_Click(object sender, EventArgs e)
{
MySqlConnection dataConnection = new MySqlConnection();
dataConnection.ConnectionString = "datasource=localhost;port=3306;username=root;password=";
dataConnection.Open();
MySqlTransaction transakcija = dataConnection.BeginTransaction();
MySqlCommand dataCommand = new MySqlCommand();
dataCommand.Connection = dataConnection;
dataCommand.Transaction = transakcija;
try
{
dataCommand.CommandText = "Insert INTO lr.users (upIme,geslo) VALUES (`"+this.tB_upIme.Text+"`,`"+this.tB_geslo.Text+"`)";
dataCommand.CommandType = CommandType.Text;
dataCommand.ExecuteNonQuery();
transakcija.Commit();
MessageBox.Show("Registracija uspešna!");
}
catch (Exception eks)
{
transakcija.Rollback();
MessageBox.Show("Napaka pri registraciji\n" + eks.Message);
}
finally
{
dataCommand.Connection.Close();
}
}
2 个解决方案
解决方案1
2 已采纳 2014-03-06 14:28:50
There are two things I immediately see wrong here... 我立即在这里发现两件事是错误的...
First, you're using back ticks to wrap your values. 首先,您使用反向刻度来包装您的值。 In MySQL Back ticks represent database objects, so the query is looking for objects named by those values instead of using the values themselves. 在MySQL中,“滴答”代表数据库对象,因此查询要查找由这些值命名的对象,而不是使用值本身。 So instead of this: 所以代替这个:
`"+this.tB_upIme.Text+"`
You'd want this: 您想要这样:
'"+this.tB_upIme.Text+"'
Second, and vastly more importantly, your code is wide open to SQL injection attacks. 其次,更重要的是,您的代码很容易受到SQL注入攻击的影响。 You'll want to use query parameters, not direct string concatenation. 您将要使用查询参数,而不是直接字符串连接。 While it may look like you're just putting values into the query string, you're actually taking user input and treating it as executable code in your query string, which means users can run any arbitrary code they want on your database. 虽然看起来您只是将值放入查询字符串中,但实际上是在接受用户输入并将其视为查询字符串中的可执行代码 ,这意味着用户可以在数据库上运行他们想要的任何任意代码。
First, add parameters to your query: 首先,向您的查询添加参数:
"Insert INTO lr.users (upIme,geslo) VALUES (@upIme, @geslo)"
(You'll notice this also makes the query a heck of a lot cleaner and easier to read.) Then add your parameters to the command: (您会注意到,这也使查询变得更加整洁和易于阅读。)然后将参数添加到命令中:
dataCommand.Parameters.AddWithValue("@upIme", this.tB_upIme.Text);
dataCommand.Parameters.AddWithValue("@geslo", this.tB_geslo.Text);
Then when you execute that command it will treat the user-input values as values instead of as executable code . 然后,当您执行该命令时,它将把用户输入的值视为值,而不是可执行代码 。
解决方案2
0 2014-03-06 14:26:19
Change to single quotes ' in the values. 将值更改为单引号' 。
dataCommand.CommandText =
"Insert INTO lr.users (upIme,geslo)
VALUES ('"+this.tB_upIme.Text+"','"+this.tB_geslo.Text+"');";
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.