这个问题在这里已有答案:
我用SQL查询填充数据表,我收到此错误:
System.Data.SqlClient.SqlException:''''附近的语法不正确。
这是我的代码:
SqlConnection sqlConnection = new SqlConnection("Data Source=OWNER;Initial Catalog=train-database;Integrated Security=True;Pooling=False");
SqlDataAdapter sda = new SqlDataAdapter("SELECT c_id FROM [user] WHERE E_mail = '"+ f3.E_Mail3.Text +"' and password = "+f3.Password3.Text+" ", sqlConnection);
DataTable dt = new DataTable();
sda.Fill(dt);
密码值需要在单引号中,就像用户名部分一样
SqlConnection sqlConnection = new SqlConnection("Data Source=OWNER;Initial Catalog=train-database;Integrated Security=True;Pooling=False");
SqlDataAdapter sda = new SqlDataAdapter("select c_id From [user] Where E_mail = '"+ f3.E_Mail3.Text +"' and password = '"+f3.Password3.Text+"' ", sqlConnection);
DataTable dt = new DataTable();
sda.Fill(dt);
但是这段代码容易受到SQL注入攻击,使用字符串连接创建SQL查询确实是一种不好的做法。
强烈建议使用SQL参数。
以下代码不是完整的工作代码,因为我不在我的ide附近,但我相信你可以解决它。
SqlConnection sqlConnection = new SqlConnection("Data Source=OWNER;Initial Catalog=train-database;Integrated Security=True;Pooling=False");
SqlCommand command= new SqlCommand("select c_id from [users] where e_mail =@emailparam and password =@passwordparam",sqlConnection);
command.Parameters.Add(new SqlParameter("emailparam",f3.Email.text));
command.Parameters.Add(new SqlParameter("passwordparam", f3.password.text));
SqlDataAdapter sda = new SqlDataAdapter(command);
DataTable dt = new DataTable(); sda.Fill(dt);