发表新帖
发表新帖

Using variables in SQL queries in asp.net (C#)

后端 未结
关注
4 1843
长情又很酷
长情又很酷 2021-01-05 13:47

I have an SQL query of this form

string cmdText = \"Select * from \" + searchTable 
  + \"WHERE \" + searchTable 
  + \"Name =\' \" +   searchValue + \"\'\";
4条回答
  • 时光说笑
    时光说笑 (楼主)
    2021-01-05 14:09

    There is a blank missing and one too much:

    searchTable + "Name =' "

    should read

    searchTable + " Name ='"

    Beside that, use SQL parameters to prevent SQL injection.

    0 讨论(0)
 看不清?
提交回复
热议问题