SQLite在表中搜索用户

问题描述 投票:0回答:1
 // This returns a count of 1, so the table does exist, and I know the user exists becaue I have just added him in...
Int32 tableCount = database.Query(map, "SELECT * FROM sqlite_master WHERE type = 'table' AND name = 'UserTable'", ps).Count;

//but when I try this the count is 0....what am I doing wrong?
 Int32 tableCount2 = database.Query(map, "SELECT * FROM sqlite_master WHERE type = 'table' AND name = 'UserTable' AND NameOfUser = '" + personsName + "'", ps).Count;

t

试图查看用户是否存在...我在做什么错?

c# mysql sql sqlite
1个回答
0
投票

SQL注入

[首先,我想说这段代码容易受到SQL注入的攻击。

为什么查询不起作用?

因为我想,'NameOfUser'不是sqlite_master的列,而是UserTable的列。

sqlite_master由以下各列组成:

type
name
tbl_name
rootpage
sql

我该如何运作?

Int32 tableCount2 = database.Query(map, "SELECT * FROM UserTable WHERE NameOfUser = '" + personsName + "'", ps).Count;

但是,如前所述,最好使用C#SQLite准备好的语句来防止SQL注入,请检查以下内容:C# SQLite tutorial并搜索'prepared'

请在工作时将其标记为答案。

CU

© www.soinside.com 2019 - 2024. All rights reserved.