发表新帖
发表新帖

SQL query from C#

前端 未结
关注
4 1192
感情败类
感情败类 2020-12-20 23:32

I am trying to query SQL Server database from C#

I have class 

Class_A 
{
  public fetch((string name, string last_name))
  {
    SqlConnection conn
相关标签:
4条回答
  • 夕颜
    2020-12-20 23:39

    ⚠️ WARNING This answer contains a SQL injection security vulnerability. Do not use it. Consider using a parameterized query instead, as described in some of the other answers to this question (e.g. Tony Hopkinson's answer).

    Try adding quotes around the values in the where clause like this:

    select * from table where NAME = 'name' and LAST_NAME = 'last_name'

    In your case where you are using variables you need to add the quotes and then concatenate the values of the variables into the string. Or you could use String.Format like this:

    var sql = String.Format("select * from table where [NAME] = '{0}' and LAST_NAME = '{1}'", name, last_name);
SqlCommand myCommand = new SqlCommand(sql);
    0 讨论(0)
  • 执笔经年
    2020-12-20 23:53

    Use a parameterised query, and more usings, and stop with the generic exceptions.

    something like this where somName and SomeLastName are the values that you wan t to query for.

    String sql = "Select * From SomeTable Where [Name] = @Name and [Last_Name] = @LastName";
try
{
  using(SqlConnection conn = new SqlConnection(connection))
  {
    conn.Open();
    using( SqlCommand command = new SqlCommand(sql,conn))
    {
      command.Parameters.Add(new SqlParameter("Name", DbType.String,someName));
      command.Parameters.Add(new SqlParameter("LastName", DbType.String,someLastName));
      using(IDataReader myReader = command.ExecuteReader())
      {
        while (myReader.Read())
        {
           //do something
        }
      }
    }
  } 
  return 0; // Huh?
}
catch(SqlException sex)
{
   Console.Writeline(String.Format("Error - {0}\r\n{1}",sex.Message, sex.StackTace))
}

    NB not checked might be a silly in it

    0 讨论(0)
  • 余生分开走
    2020-12-20 23:59

    Try

    select * from table where NAME = 'name' and LAST_NAME = 'last_name'

    instead of

    select * from table where NAME = name and LAST_NAME = last_name

    Edit:

    If name and last_name are your parameters then try this:

    SqlCommand myCommand = new SqlCommand("select * from table where NAME = @name and LAST_NAME = @last_name", conn); 
myCommand.Parameters.AddWithValue( "@name", name );
myCommand.Parameters.AddWithValue( "@last_name", last_name );

    Using parameterized commands means that you are invulnerable to a potential huge security hole - sql injection which is possible when command text is manually concatenated.

    0 讨论(0)
  • 日久生厌
    2020-12-20 23:59

    The text needs to be quoted as others have said--but that's not really the right answer here. Even without malice you're going to run into trouble with the Irish here, look what happens when you try to look for Mr. O'Neill. Use parameters instead.

    0 讨论(0)
 看不清?
提交回复
热议问题