使用MySQL参数创建新用户
[英]Usage of MySQL Parameter for creating new user
问题描述
So I am using a MySQL Server version 8.0.16 and if I try to let dynamically create a new user, i do receive a Error message what says: >>You have an error in your SQL syntax; 
因此,我使用的是MySQL Server版本8.0.16,如果尝试动态创建新用户,则会收到一条错误消息,内容为:>>您的SQL语法有错误; check the manual that corresponds to your MySQL server version for the right syntax. 查看与您的MySQL服务器版本相对应的手册以获取正确的语法。 to use near '$password' at line 1<<. 在第1 <<行的'$ password'附近使用。
What i can't understand, becouse if i replace the Parameters with the actual value and try it with the shell it works perfectly. 我不明白的原因是,如果我将Parameters替换为实际值,并尝试使用完美运行的shell的话。 I let my code connect as root so and checked if the connection is open what it is. 我让我的代码以root用户身份连接,然后检查连接是否打开。 So if I stepped into the code and checked if the parameters are correct everything looked fine. 因此,如果我进入代码并检查参数是否正确,一切看起来就很好。 I also added >>'<< at the beginning and end of thext strings that should replace the parameters but it didn't changed the error or what happened. 我还在xt字符串的开头和结尾添加了>>'<<,它们应该替换参数,但是它没有改变错误或发生的情况。
public bool CreateNewUser(string name, string password, string host)
{
string query = "CREATE USER $name@$host IDENTIFIED BY $password;";
List<MySqlParameter> mies = new List<MySqlParameter>
{
new MySqlParameter("$name", name),
new MySqlParameter("$password", password),
new MySqlParameter("$host", host)
};
return InsertIntoQuery(query, mies);
}
//The InsertIntoQuery looks like this
private bool InsertIntoQuery(string sql, List<MySqlParameter> sqlParameters = null)
{
bool retBl = false;
try
{
using (var SqlConnection = new MySqlConnection(ConnectionStr))
{
SqlConnection.Open();
using (var cmd = new MySqlCommand(sql, SqlConnection))
{
if (sqlParameters != null)
foreach (var item in sqlParameters)
cmd.Parameters.AddWithValue(item.ParameterName, item.Value);
cmd.Prepare();
var retValNonQuery = cmd.ExecuteNonQuery();
retBl = (retValNonQuery > 0) ? true : false;
}
}
}
catch (Exception e)
{
MessageBox.Show("Error: " + e.Message);
}
return retBl;
}
I would expect it to create a new user but it doesn't. 我希望它可以创建一个新用户,但事实并非如此。
1 个解决方案
解决方案1
1 已采纳 2019-06-14 07:29:08
No, for CREATE USER command I don't think you can pass command parameter likewise. 不,对于CREATE USER命令,我认为您不能同样传递命令参数。 Rather substitute the value as is like below using string interpolation syntax. 而是像下面那样使用字符串插值语法替换该值。
string query = $"CREATE USER '{name}@{host} IDENTIFIED BY {password}";
For an older C# version consider using string.Format() 对于较旧的C#版本,请考虑使用string.Format()
string query = string.Format("CREATE USER '{0}'@'{1}' IDENTIFIED BY '{2}'",name,host,password);
Per OP's comment: You can't cause it's not a DML operation. 根据OP的评论:您不能导致它不是DML操作。 If you are worried about SQL Injection probably cause input value is coming from user input then you will have sanitize it someway and moreover if you observe the input are quoted. 如果您担心SQL注入可能导致输入值来自用户输入,那么您将对其进行某种方式的清理,此外,如果您观察到输入被引用,则将其清除。
Again, I would suggest that this kind of admin operation should go in a DB bootstrap script and not in your application code. 再次,我建议这种管理操作应在数据库引导脚本中进行,而不应在应用程序代码中进行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.