问题描述

string verifyinfo =select imagelist，从Gpass传递，其中userid =+ txtuserid.Text +email =+ txtemail.Text;

string verifyinfo = "select imagelist, pass from Gpass where userid=" + txtuserid.Text + "email=" + txtemail.Text;

推荐答案

"select imagelist, pass from Gpass where userid=''" + txtuserid.Text + "'' and email=''" + txtemail.Text + "''"; <br />

但是，请注意写这样的内联查询可能会导致 []。

改为使用参数。

However, also note that write inline queries like this could lead to SQL Injection[^].
Use parameters instead.

string verifyinfo = "select imagelist, pass from Gpass where userid='" + txtuserid.Text + "' AND email='" + txtemail.Text + "'";

但是不要使用字符串连接来构建查询，因为使用字符串连接并不妨碍 []。使用 SqlParameter 传递参数：

[]

[]



如果您使用 SqlParameter ，试试这段代码：

But don''t use string concatenation to build queries, because using string concatenation doesn''t prevent SQL injection[^]. Use a SqlParameter to pass a parameter:
http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter.aspx[^]
http://www.dotnetperls.com/sqlparameter[^]

If you use a SqlParameter, try this code:

using (SqlCommand command = new SqlCommand("select imagelist, pass from Gpass where userid=@userid AND email=@email", connection))
	    {
		command.Parameters.Add(new SqlParameter("userid", txtuserid.Text));
		command.Parameters.Add(new SqlParameter("email", txtemail.Text));
		SqlDataReader reader = command.ExecuteReader();
		// some other code
	    }

我建议使用 SqlParameter 来防止SQL注入。

这篇关于请发给我正确的查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！