![](/img/trans.png)
[英]Retrieving a record from database getting error as “Invalid column Name” in SQL?
[英]“invalid column name” error when retrieving data from SQL database?
我有一個包含3列的數據庫:FIRST_NAME,LAST_NAME和IMAGE。 我總是收到錯誤“無效的列名'第一列的名稱'”。 我應該寫下名字,然后單擊一個按鈕以顯示姓氏和圖像。 我正在使用C#,這是我當前的代碼:
private void button_show_Click(object sender, EventArgs e)
{
try
{
string sql = "select LAST_NAME,IMAGE from Table_1 where FIRST_NAME=" + this.firstname_textbox.Text + "";
if (conn.State != ConnectionState.Open)
conn.Open();
command = new SqlCommand(sql, conn);
SqlDataReader reader = command.ExecuteReader();
reader.Read();
if (reader.HasRows)
{
lastname_textbox.Text = reader[0].ToString();
byte[] img = (byte[])(reader[1]);
if (img == null)
pictureBox1.Image = null;
else
{
MemoryStream ms = new MemoryStream(img);
pictureBox1.Image = Image.FromStream(ms);
}
}
else
{
MessageBox.Show("This Name Does Not Exist");
}
conn.Close();
}
catch(Exception ex)
{
conn.Close();
MessageBox.Show(ex.Message);
}
}
}
謝謝。
您的WHERE子句中有未加引號的字符串。
string sql = "select LAST_NAME,IMAGE from Table_1 where FIRST_NAME=" + this.firstname_textbox.Text + "";
應該:
string sql = "select LAST_NAME,IMAGE from Table_1 where FIRST_NAME='" + this.firstname_textbox.Text + "'";
您還應該知道,對SQL查詢參數使用字符串連接是不好的做法,因為它會創建SQL注入漏洞。 例如,假設this.firstname_textbox.Text為:
';DELETE FROM Table_1 WHERE '1' = '1
這將導致變量“ sql”是這樣的:
select LAST_NAME,IMAGE from Table_1 where FIRST_NAME='';DELETE FROM Table_1 WHERE '1' = '1'
為避免此問題,請使用參數化查詢( https://msdn.microsoft.com/zh-cn/library/vstudio/bb738521%28v=vs.100%29.aspx )
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.