0
我有一些問題,我看到互聯網上代碼的和平只有這個與Oledb完成。數據庫連接C#ExecuteNonReader與MySql
我現在有rewrited爲MySQL.data.mysqlclient代碼如下:
MySqlDataReader dr = null;
MySqlCommand cmd = null;
string cmdstr = "SELECT * FROM users WHERE email='"+UsrName.Text+"' and password='"+PassWrd.Text+"' LIMIT 1";
dr = cmd.ExecuteNonReader();
cmd = new MySqlCommand(cmdstr, connection);
cmd.Dispose();
if (dr.Read() == true)
{
MessageBox.Show("Succesvol ingelogd");
}
else
{
MessageBox.Show("Geen juiste gegevens");
}
connection.Close();
}
現在的問題是爲dr = cmd.ExecuteNonReader()另一種方法。
UPDATE ----------------
string server;
string database;
string uid;
string password;
server = "localhost";
database = "cmstt";
uid = "root";
password = "";
string connectionString;
connectionString = "SERVER=" + server + ";" + "DATABASE=" +
database + ";" + "UID=" + uid + ";" + "PASSWORD=" + password + ";";
MySqlConnection connection = new MySqlConnection(connectionString);
connection.Open();
MySqlDataReader dr = null;
MySqlCommand cmd = null;
string cmdstr = "SELECT * FROM users WHERE email='"+UsrName.Text+"' and pass='"+PassWrd.Text+"' LIMIT 1";
dr = cmd.ExecuteReader();
cmd = new MySqlCommand(cmdstr, connection);
if (dr.Read() == true)
{
MessageBox.Show("Succesvol ingelogd");
}
else
{
MessageBox.Show("Geen juiste gegevens");
}
cmd.Dispose();
connection.Close();
您的代碼清楚地向SQL注入開放。請使用參數化的SQL,例如'cmd.Parameters.Add(「@ email」,email);' –
哦,是的,小鮑比桌子。 http://imgs.xkcd.com/comics/exploits_of_a_mom.png – Pacane