[英]Syntax error (comma) in query expression ('StudentID', 'Password')
我正在嘗試從我現在正在創建的 Microsoft Access 數據庫登錄到我的應用程序,但我收到此錯誤“查詢表達式('StudentID','Password')中的語法錯誤(逗號)。” 任何人都可以給我一個修復嗎?
這是錯誤來自的代碼:
con.Open();
string login = "SELECT (StudentID, Password) FROM Student WHERE StudentID = '"+txtStudentID+ "' and Password = '" + txtPassword + "'";
cmd = new OleDbCommand(login, con);
OleDbDataReader dr = cmd.ExecuteReader();
去掉括號:
SELECT StudentID, Password FROM Student ...
而使用參數來防止SQL注入很重要(即使是學校或學習項目,壞習慣也很難改掉),這不是問題的根源。
您應該先刪除括號,使用字符串插值也更好,更易讀!
con.Open();
string login = $"SELECT StudentID, Password FROM Student WHERE StudentID = '{txtStudentID.text}' and Password = '{txtPassword.text}' ";
cmd = new OleDbCommand(login, con);
OleDbDataReader dr = cmd.ExecuteReader();
但完整的解決方案如下,為了避免 SQL 注入,您應該使用 SQL 參數:
SqlParameter userName = new SqlParameter()
{
ParameterName = "@UserName",
DbType = DbType.String,
Direction = ParameterDirection.Input,
Value = txtStudentID.text
};
SqlParameter password = new SqlParameter()
{
ParameterName = "@Password",
DbType = DbType.String,
Direction = ParameterDirection.Input,
Value = txtPassword.text
};
SqlCommand command = new SqlCommand
{
Connection = connection,
CommandType = CommandType.Text,
CommandText = $"SELECT * FROM Student WHERE StudentID = @UserName and Password = @Password"
};
command.Parameters.Add(userName);
command.Parameters.Add(password);
con.Open();
....
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.