这是我尝试使用 emailid 检索用户名的代码。
string query="select name from userdetails where emailid=" + email + ";" ;
connection.Open();
MySqlCommand cmd = new MySqlCommand(query,connection);
MySqlDataReader rd = cmd.ExecuteReader();
while(rd.Read())
{
uname = (string)rd["emailid"];
return uname;
}
【问题讨论】:
email 的典型值是什么,它来自哪里? “无法执行”是什么意思?它不编译?它编译但抛出异常?有什么例外?
将值参数化以避免来自SQL Injection
string query="select name from userdetails where emailid=@email" ;
MySqlCommand cmd = new MySqlCommand(query,connection);
cmd.Parameters.AddWithValue("@email", email);
试试这个代码 sn-p:
string connStr = "connection string here";
string sqlStatement = "select name from userdetails where emailid=@email";
using (MySqlConnection conn = new MySqlConnection(connStr))
{
using(MySqlCommand comm = new MySqlCommand())
{
comm.Connection = conn;
comm.CommandText = sqlStatement;
comm.CommandType = CommandType.Text;
comm.Parameters.AddWithValue("@email", email);
try
{
conn.Open();
MySqlDataReader rd = cmd.ExecuteReader();
// other codes
}
catch(SqlException e)
{
// do something with the exception
// do not hide it
// e.Message.ToString()
}
}
}
为了正确编码
using 语句进行正确的对象处理try-catch 块正确处理异常【讨论】:
AddWithValue() :)
把你的电子邮件放在一个单独的qoute,因为它是这样的varchar..
string query="select name from userdetails where emailid='" + email + "';" ;
但这可能会导致 SQL 注入...所以使用这个...
string query="select name from userdetails where emailid=@email;" ;
MySqlCommand cmd = new MySqlCommand(query,connection);
cmd.Parameters.AddWithValue("@email",email);
【讨论】:
通过在单引号中添加email 来更新您的select 查询:
string query = "select name from userdetails where emailid='" + email +"';";
或 你可以像这样使用参数化查询:
string query="select name from userdetails where emailid=@email" ;
MySqlCommand cmd = new MySqlCommand(query,connection);
cmd.Parameters.AddWithValue("@email", email);
【讨论】: