1
在我的應用程序中,我想使用UPDATE命令來更新多個MySQL列。我用下面的代碼嘗試了它,但我知道它確實不安全。因爲它導致了SQL注入攻擊。但我不知道如何編寫帶有參數的查詢來更新多個MySQL列。使用參數化更新命令更新多個mysql列
這是我的代碼:
string constring = string.Format("datasource='{0}';port='{1}';database='{2}';username=claimsprologin;password=xxxxxxxxxxxxxxxx;Connect Timeout=180;Command Timeout=180", serveriplable.Text, portno.Text, databasenamelable.Text);
string Query = "update claimloans set loannumber= '" + this.loannumbertextbox.Text.Trim() + " ', pool = '" + this.loanpooltextbox.Text.Trim() + "' , disblid = '" + this.disbidtextbox.Text.Trim() + "' , category = '" + this.categorytxtbox.Text.Trim() + " ', subcacategory = '" + this.subcategorytxtbox.Text.Trim() + " ', invoice = '" + this.invoicenumbertextbox.Text.Trim() + " ', invoicedate = '" + this.invoicedatetextbox.Text.Trim() + " ', docs = '" + this.docscombobox.Text.Trim() + "' , where username = '" + this.usernamelable.Text.Trim() + "' ;";
MySqlConnection conwaqDatabase = new MySqlConnection(constring);
MySqlCommand cmdwaqDatabase = new MySqlCommand(Query, conwaqDatabase);
MySqlDataReader myreader;
try {
conwaqDatabase.Open();
myreader = cmdwaqDatabase.ExecuteReader();
while (myreader.Read()) { }
MessageBox.Show("Credential informations are updated");
conwaqDatabase.Close();
}
catch {
}
爲什麼不使用參數化查詢? – vortex 2014-11-04 14:22:36