Using variables in SQL queries in asp.net (C#)

后端 未结 4 1849
长情又很酷
长情又很酷 2021-01-05 13:47

I have an SQL query of this form

string cmdText = \"Select * from \" + searchTable 
  + \"WHERE \" + searchTable 
  + \"Name =\' \" +   searchValue + \"\'\";         


        
4条回答
  •  时光说笑
    2021-01-05 14:09

    There is a blank missing and one too much:

    searchTable + "Name =' "
    

    should read

    searchTable + " Name ='"
    

    Beside that, use SQL parameters to prevent SQL injection.

提交回复
热议问题