asp.net獲取當前用戶ID

Question

在後面的代碼，我有這樣的：

protected void ButtonSave_Click(object sender, EventArgs e) 
     { 
      Guid guid = (Guid)Membership.GetUser().ProviderUserKey; 
      string name = TextBoxCategoryName.Text; 
      // string user = Membership.GetUser().UserName; 
      this.connection.Open(); 
      command = connection.CreateCommand(); 
      command.CommandText = "insert into ProfitCategories(name, IdUser) values ('" + name + "', "+guid+")"; 
      command.ExecuteNonQuery(); 

      connection.Close(); 
     } 

但這給錯誤：Incorrect syntax near 'a8'. 如何從當前用戶獲得GUID，並插入到數據庫

Answer 1

的小問題：您的GUID周圍缺少單引號。它應該是：

command.CommandText = "insert into ProfitCategories (name, IdUser) values ('" + name + "', '" + guid + "')"; 

但是不要這樣做。

大問題：如果您修復此問題，您將面臨SQL注入風險。使用SQL語句的參數來適當修復或使用存儲過程。

閱讀：

MSDN SqlCommand.Parameters

SQL Injection

Answer 2

雖然邁克已提出你的答案，我想提請你注意使用存儲過程而不是SQL查詢

try 
    { 
     Guid guid = (Guid)Membership.GetUser().ProviderUserKey; 
     string name = TextBoxCategoryName.Text; 

     using (SqlConnection con = new SqlConnection(sqlConnection)) 
      { 
      SqlCommand command = new SqlCommand("sp_InsertUserDatails", sqlConnection); 
      command.CommandType = CommandType.StoredProcedure; 
      command.Parameters.Add("@name", SqlDbType.VarChar).Value = name ; 
      command.Parameters.Add("@IdUser", SqlDbType.VarChar).Value = guid ; 
      sqlConnection.Open(); 
      return command.ExecuteNonQuery(); 
      sqlConnection.Close(); 
      } 
    } 
catch (SqlException ex) 
    { 
    Console.WriteLine("SQL Error" + ex.Message.ToString()); 
    return 0; 
    } 

這裏是存儲過程

CREATE PROCEDURE sp_InsertUserDatails 
(
    @name varchar(100), 
    @IdUser varchar(100) 
) 
AS 
BEGIN 
    insert into dbo.ProfitCategories(name, IdUser) 
    values (@name, @IdUser) 
END 
GO