如何从 C# MySQL 查询中提取单个列数据?
[英]How to extract individual column data from C# MySQL query?
问题描述
How can I extract the column data from my user row?
如何从我的用户行中提取列数据? EX: This gets called on my WCF server when the client logs in. It works up to var xx = ds.Tables[0].Rows[1]; EX:当客户端登录时,这会在我的 WCF 服务器上调用。它可以工作到 var xx = ds.Tables[0].Rows[1]; where it throws an error on the clients side.它在客户端抛出错误。 Basically I am trying to have the user/pass verified in the database.基本上我试图在数据库中验证用户/密码。 Then return to the Client a DateTime of when his subscription expires.然后向客户返回订阅到期的日期时间。
public bool Authenticate(string userId, string password, out string token)
{
token = "";
string MyConnectionString = "Server=localhost;Database=testdb;Uid=root;Pwd=admin;";
MySqlConnection sqlCon = new MySqlConnection(MyConnectionString);
sqlCon.Open();
MySqlCommand cmd = sqlCon.CreateCommand();
cmd.CommandText = "SELECT * FROM table1 WHERE username = '"+userId+"' AND password = '"+password+"'";
MySqlDataAdapter adap = new MySqlDataAdapter(cmd);
DataSet ds = new DataSet();
adap.Fill(ds);
if (ds.Tables[0].Rows.Count > 0)
{
token = Guid.NewGuid().ToString();
var xx = ds.Tables[0].Rows[0];
CustomDataSource.AddUserData(token, userId);
return true;
}
return false;
}
3 个解决方案
解决方案1
2 2012-11-08 23:46:40
Well I suppose that your query returns only one row (if it finds the user with the correct password)好吧,我想您的查询仅返回一行(如果找到具有正确密码的用户)
In that case you get the date from the first row returned (index zero).在这种情况下,您会从返回的第一行(索引为零)获取日期。
Also I assume that your date is stored in the fifth column (index four), if not you should adjust the second index to point to the correct column.此外,我假设您的日期存储在第五列(索引四)中,否则您应该调整第二个索引以指向正确的列。 (The base array index is always zero) (基本数组索引始终为零)
if (ds.Tables[0].Rows.Count > 0)
{
token = Guid.NewGuid().ToString();
var xx = ds.Tables[0].Rows[0][4];
CustomDataSource.AddUserData(token, userId);
return true;
}
Said that, let me point to a big problem of this code.说了这么多,让我指出这段代码的一个大问题。
This code could be easily used for a Sql Injection Attack because it concatenates strings, probably typed by your user, to form a Sql Text passed to the database engine.此代码很容易用于Sql 注入攻击,因为它连接字符串,可能由您的用户键入,以形成传递给数据库引擎的 Sql 文本。 Instead you should use parameters to avoid the Sql Injection problem and the quoting of user text (password with an apostrophe?)相反,您应该使用参数来避免 Sql 注入问题和用户文本的引用(带撇号的密码?)
using(MySqlConnection sqlCon = new MySqlConnection(MyConnectionString))
{
sqlCon.Open();
MySqlCommand cmd = sqlCon.CreateCommand();
cmd.CommandText = "SELECT * FROM table1 WHERE username = ?user AND password = ?pwd";
cmd.Parameters.AddWithValue("?user", userId);
cmd.Parameters.AddWithValue("?pwd", password);
using(MySqlDataAdapter adap = new MySqlDataAdapter(cmd))
{
DataSet ds = new DataSet();
adap.Fill(ds);
}
}
解决方案2
0 2012-11-08 23:46:29
var xx = ds.Tables[0].Rows[0].ItemArray[5]; var xx = ds.Tables[0].Rows[0].ItemArray[5];
Is how.是怎样。
解决方案3
0 2012-11-08 23:51:14
try using foreach loop尝试使用foreach循环
foreach (DataRow row in ds.Tables[0].Rows)
{
var xx = row[1];
var x = row[5];
// other codes
return true;
}
one more thing, parameterized your query to avoid SQL injection还有一件事,参数化您的查询以避免SQL injection
using(MySqlConnection sqlCon = new MySqlConnection(MyConnectionString))
{
using (MySqlCommand cmd = new MySqlCommand())
{
cmd.Connection = sqlCon;
cmd.CommandType = CommandType.Text;
cmd.CommandText = "SELECT * FROM table1 WHERE username = @user AND password = @pass";
cmd.Parameters.AddWithValue("@user", userId);
cmd.Parameters.AddWithValue("@pass", password);
using (MySqlDataAdapter adap = new MySqlDataAdapter(cmd))
{
try
{
DataSet ds = new DataSet();
adap.Fill(ds);
}
catch (MySqlException e)
{
// do something with the exception
// don't hide it!
}
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.