问题描述
<pre lang="c#">
try
{
string txt = "select * from Products where id='" + txtSalesItemNo.Text + "'";
SqlCommand cmd = new SqlCommand(txt, con);
con.Open();
SqlDataReader re = cmd.ExecuteReader();
while (re.Read())
{
int price = int.Parse(txtSalesQty.Text.ToString()) * int.Parse(re[4].ToString());
totalprice = totalprice + price;
dataGridView1.Rows.Add(dataGridView1.RowCount, re[0], re[1], txtSalesQty.Text.Trim(), re[4], price);
}
lbTotalItem.Text = " " + (dataGridView1.RowCount - 1) + "";
lbTotal.Text = " " + totalprice + " ";
con.Close();
}
catch(Exception ee)
{
MessageBox.Show(ee.Message);
}
finally
{
con.Close();
}
我的尝试:
我在这个问题上挣扎了几天,我无法弄清楚如何解决它。
What I have tried:
I am struggling for a few days with this issue and I can't figure out how can I fix it.
推荐答案
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
就SQL而言,用户添加的引号会终止字符串,并且您会遇到问题。但情况可能更糟。如果我来并改为输入:x'; DROP TABLE MyTable; - 然后SQL收到一个非常不同的命令:
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
哪个SQL看作三个单独的命令:
Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';
完全有效的SELECT
A perfectly valid SELECT
DROP TABLE MyTable;
完全有效的删除表格通讯和
A perfectly valid "delete the table" command
--'
其他一切都是评论。
所以它确实:选择任何匹配的行,从数据库中删除表,并忽略其他任何内容。
所以总是使用参数化查询!或者准备好经常从备份中恢复数据库。你经常定期备份,不是吗?
2)除非你已经完全验证了它们,否则永远不要将应该是数字的用户字符串发送到任何地方。用户会犯错误 - 如果你没有验证,你就不知道。
因此,在你的方法的顶部,使用int.TryParse来转换用户输入值:
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.
So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
2) Never send user strings that should be numbers to anywhere unless you have fully validated them. Users make mistakes - and if you don't validate, you don't know.
So, at the top of your method, use int.TryParse to convert the user input value:
int saleItemNo;
if (!int.TryParse(txtSaleItemNo.Text, out saleItemNo))
{
MessageBox("the Sale Item needs to be a number: " + txtSaleItemNo.Text);
return;
}
然后当您使用该值访问SQL时,使用参数化查询来传递转换后的值:
Then when you use that value to access SQL, use a parameterised query to pas the converted value:
string txt = "SELECT * FROM Products WHERE id=@SIID";
SqlCommand cmd = new SqlCommand(txt, con);
cmd.Parameters.AddWithValue("@SIID", salesItemNo);
并完成整个应用程序,用参数替换连接 - 错过一个,你的数据库是吐司。
And go through the whole of your app replacing concatenation with parameters - miss one, and your DB is toast.
这篇关于将varchar值''转换为数据类型int时转换失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!