1. 首頁
  2. 問答
  3. C#String Concationation問題爲什麼不在這裏工作?

C#String Concationation問題爲什麼不在這裏工作?

2012-02-14 47 views
1

我有下面的C#代碼:C#String Concationation問題爲什麼不在這裏工作?

using System; 
using System.Collections.Generic; 
using System.Linq; 
using System.Text; 

namespace StringTest 
{ 
    class Program 
    { 
     static void Main(string[] args) 
     { 

       String strSQLCode; 
      strSQLCode = " select rank() over (order by percentagecorrect desc, totalmilliseconds asc) as rank, * " 
         += " from view_dg_game_details gd (nolock) " 
         += " where gd.gametypeid = {0} " 
         += " and gd.numberofrounds = {1} " 
         += " and gd.gamevalues = '{2}' "; 
     } 
    } 
}

出於某種原因,我得到一個錯誤「賦值的左邊必須是一個變量,屬性或索引」。

我看不出錯誤在告訴我什麼。我已經評論了有問題的路線,但是錯誤只是上移了一條線。

我能得到的字符串concation使用這種方法的工作:

using System; 
using System.Collections.Generic; 
using System.Linq; 
using System.Text; 

namespace StringTest 
{ 
    class Program 
    { 
     static void Main(string[] args) 
     { 

      String strSQLCode; 
      strSQLCode = " select rank() over (order by percentagecorrect desc, totalmilliseconds asc) as rank, * "; 
      strSQLCode = strSQLCode + " from view_dg_game_details gd (nolock) "; 
      strSQLCode = strSQLCode + " where gd.gametypeid = {0} "; 
      strSQLCode = strSQLCode + " and gd.numberofrounds = {1} "; 
      strSQLCode = strSQLCode + " and gd.gamevalues = '{2}' ";    
     } 
    } 
}

有人能向我解釋一下這個錯誤是什麼?

感謝

來源

2012-02-14 codingguy3000

+10

您有SQL注入漏洞。 – SLaks 2012-02-14 18:53:13

+0

字符串連接效率較低,在這裏最好使用'@'字符串。 – McKay 2012-02-14 18:56:37

+3

@McKay:我想象編譯器在編譯時將它們結合起來。 – 2012-02-14 19:07:27

回答

12

,因爲你不能串起來+=運營商無需重複,你上運行的變量:如果你想將其申報爲「

strSQLCode = @"select rank() over (order by percentagecorrect desc, 
              totalmilliseconds asc) as rank, * "; 
strSQLCode += " from view_dg_game_details gd (nolock) "; 
strSQLCode += " where gd.gametypeid = {0} "; 
strSQLCode += " and gd.numberofrounds = {1} "; 
strSQLCode += " and gd.gamevalues = '{2}' ";

長「一班,只用+

strSQLCode = @"select rank() over (order by percentagecorrect desc, 
              totalmilliseconds asc) as rank, * " 
      + " from view_dg_game_details gd (nolock) " 
      + " where gd.gametypeid = {0} " 
      + " and gd.numberofrounds = {1} " 
      + " and gd.gamevalues = '{2}' ";

或者,如果你不希望任何的是,你可以只使用一個字符串字面量:

strSQLCode = 
    @"select rank() over (order by percentagecorrect desc, 
           totalmilliseconds asc) as rank, * 
     from view_dg_game_details gd (nolock) 
     where gd.gametypeid = {0} 
      and gd.numberofrounds = {1} 
      and gd.gamevalues = '{2}' ";

來源

2012-02-14 18:53:03

+0

是的,多行字符串文字更好。 – McKay 2012-02-14 18:58:58

2

爲了您的第一個片段,你想要的是+,不+=

您只想分配一次變量,然後在以正常方式將所有部分連接在一起後執行該操作。那是+

來源

2012-02-14 18:53:21

2

在你的第一個代碼段,你不應該使用+=簡單的將做+

從MSDN:

使用+ =賦值運算符的表達式,如

x += y

相當於

x = x + y

除了x只評估一次。

這意味着您不能使用+=來鏈接一串字符串或兩個以上的變量。

來源

2012-02-14 18:53:37

2

你寫了

something += "a" += "b";

這是沒有意義的。

來源

2012-02-14 18:53:39 SLaks

3

這是一個單獨的語句,所以你應該使用下列內容:

 strSQLCode = " select rank() over (order by percentagecorrect desc, totalmilliseconds asc) as rank, * " 
        + " from view_dg_game_details gd (nolock) " 
        + " where gd.gametypeid = {0} " 
        + " and gd.numberofrounds = {1} " 
        + " and gd.gamevalues = '{2}' ";

來源

2012-02-14 18:53:41 Mr47

2

就使用這種方式

strSQLCode = " select rank() over (order by percentagecorrect desc, totalmilliseconds asc) as rank, * " 
      + " from view_dg_game_details gd (nolock) " 
      + " where gd.gametypeid = {0} " 
      + " and gd.numberofrounds = {1} " 
      + " and gd.gamevalues = '{2}' "; 


strSQLCode = 
      @"select rank() over (order by percentagecorrect desc, totalmilliseconds asc) as rank, * 
      from view_dg_game_details gd (nolock) 
      where gd.gametypeid = {0} 
      and gd.numberofrounds = {1} 
      and gd.gamevalues = '{2}' ";

來源

2012-02-14 18:54:59

+0

對於一個@字符串+1 – McKay 2012-02-14 18:58:35

1

你的語法稍有錯。

應該是:

namespace StringTest 
{ 
    class Program 
    { 
     static void Main(string[] args) 
     { 

       String strSQLCode; 
      strSQLCode = @" select rank() over (order by percentagecorrect desc, totalmilliseconds asc) as rank, * " 
         + @" from view_dg_game_details gd (nolock) " 
         + @" where gd.gametypeid = {0} " 
         + @" and gd.numberofrounds = {1} " 
         + @" and gd.gamevalues = '{2}' "; 
     } 
    } 
}

來源

2012-02-14 18:56:18

1

你在做什麼有效的是:

string variable = "string" += "another string";

這在本質上是一樣的:

string variable; 
(variable = "string") += "another string";

由於括號表達式的結果是一個字符串(特別是分配的值),你現在正在實現這個功能:

string variable; 
variable = "string"; 
"string" += "another string;

而編譯器在第三行有問題。

具體來說,編譯器告訴你的是,爲了執行分配,你必須分配一些東西。

寫這樣的:

strSQLCode = @" select rank() over (order by percentagecorrect desc, totalmilliseconds asc) as rank, * 
    from view_dg_game_details gd (nolock) 
    where gd.gametypeid = @gameType 
    and gd.numberofrounds = @numberOfRounds 
    and gd.gamevalues = @gameValues ";

,並使用參數化查詢。

來源

2012-02-14 18:58:14 McKay

0

使用+而不是+ =。

另外,我強烈建議不要存儲和連接這樣的SQL查詢,因爲這樣的方式由於SQL注入而非常不安全。

讀到它在這裏:SQL injection

來源

2012-02-14 18:59:09

1

像其他人一樣有提到+ =應的是+。如果你構建SQL至少需要參數化,SQL注入是一個嚴重的問題。我可以從控制檯或winapp文本框中刪除表中的數據庫。從第一個變量,你可以做

1 ; drop table dg_game_details --

例如:

conDatabase = 
new SqlConnection("Data Source=(local);" + 
"Database='projectGames';" + 
"Integrated Security=true"); 
SqlCommand cmdDatabase = 
new SqlCommand("SELECT rank() over (order by percentagecorrect desc, totalmilliseconds asc) as rank, * FROM view_dg_game_details gd (nolock)" + 
"WHERE gd.gametypeid= @GameId;", conDatabase); 

cmdDatabase.Parameters.Add("@GameId", SqlDbType.Int); 
cmdDatabase.Parameters["@GameId"].Value = 1;

來源

2012-02-14 22:59:55 Nickz

相關問題

 相關問題