在Visual Studio中创建注册表单,SQL语法出错
[英]Creating Registration form in Visual Studio, getting error in SQL Syntax
问题描述
Whenever I run the application I keep getting the error: 
每当我运行应用程序时,我都会不断收到错误消息:
You have an error in your SQL syntaxt;
My code is: 我的代码是:
try
{
string myConnection = "datasource=127.0.0.1;port=3306;username=root;password=welcome";
MySqlConnection myConn = new MySqlConnection(myConnection);
MySqlCommand SelectCommand = new MySqlCommand("select * User_Info.users where user_name=" + this.username_txt.Text + " and password=" + this.password_txt + " ;", myConn);
MySqlDataReader myReader;
myConn.Open();
myReader = SelectCommand.ExecuteReader();
int count = 0;
while (myReader.Read())
{
count = count + 1;
}
if (count == 1)
{
MessageBox.Show("Username and password is correct");
}
else if (count > 1)
{
MessageBox.Show("Duplciate Username and password, access is denied");
}
else
MessageBox.Show("Username and password is incorrect, please try again");
myConn.Close();
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
What causes this error? 是什么导致此错误?
2 个解决方案
解决方案1
1 2014-04-29 20:04:12
This is possibly due to not having single quotes around your username and password strings. 这可能是由于用户名和密码字符串周围没有单引号引起的。
As such, and provided your c# syntax is correct, your string concatenation could possibly be: 这样,如果您的c#语法正确,则字符串连接可能是:
"select * User_Info.users where user_name='" + this.username_txt.Text + "' and password='" + this.password_txt + "';"
When embedding SQL code into your app, it often helps to run an example query directly in the database first, and then translate that working query to your app code. 将SQL代码嵌入到您的应用程序中时,通常有助于先直接在数据库中运行示例查询,然后将该工作查询转换为您的应用程序代码。 You should then be able to debug to highlight any differences between the two. 然后,您应该能够进行调试以突出显示两者之间的任何差异。
Also, without using parameters but simply concatenating strings and user inputs (sanitized or not), you are opening yourself up to SQL Injection attacks . 此外,无需使用参数,而只需串联字符串和用户输入(是否经过消毒),您就可以面对SQL Injection攻击 。 It cannot be stressed enough to refactor your code to use parameters. 压力不足以重构代码以使用参数。 Doing so will also eliminate the need to provide these string delimiters in your query. 这样做还将消除在查询中提供这些字符串定界符的需要。
解决方案2
0 2014-04-29 20:03:16
Maybe your Strings are empty, or you need to escape the word "name" and "user" in your select, because these are reserved SQL keywords. 也许您的字符串为空,或者您需要在选择的内容中转义单词“ name”和“ user”,因为它们是保留的SQL关键字。 For mysql the default escape character is 对于mysql,默认转义字符为
`
. 。 The SQL standard escape character is SQL标准转义字符为
"
So please change the following line 因此,请更改以下行
"select * User_Info.users where user_name="
to 至
"select * `User_Info`.`users` where `user_name`="
and your query should work fine. 并且您的查询应该可以正常工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.