-5
protected void Button1_Click(object sender, EventArgs e)
{
MySqlConnection connection = new MySqlConnection(ConfigurationManager.ConnectionStrings["myconstring"].ConnectionString);
connection.Open();
symptons = String.Join(", ", CheckBoxList1.Items.Cast<ListItem>().Where(i => i.Selected).Select(i => i.Value).ToArray());
Label3.Text = symptons;
if(symptons!="")
{
MySqlCommand cmd = new MySqlCommand("select d.dname from disease d inner join diseasesymptom ds on ds.did = d.did inner join symptom s on s.sid = ds.sid where s.sname in (" + symptons + ")", connection);
using (MySqlDataAdapter sda = new MySqlDataAdapter())
{
cmd.Connection = connection;
sda.SelectCommand = cmd;
using (DataTable dt = new DataTable())
{
sda.Fill(dt);
GridView1.DataSource = dt;
GridView1.DataBind();
}
}
}
else
{
Label2.Text = "select at least one symptom";
}
}
我知道我對我自己的代碼排序進行SQL注入那麼,如何防止這種情況, 基本上有3個表:有沒有更有效的方法來寫這個SQL代碼?
- disease_table [欄=(disease_id,disease_name)
- symptom_table [列=](symptom_id,symptom_name)
- disease_symptom [列=](disease_id,symptom_id)
有一個複選框列表我的網頁上有症狀,其中文本=發燒,值=「發燒」 ..等等這樣做的理由是,用戶可以選擇任意數量的複選框,並在條款不接受參數
**警告**您的代碼極易遭受SQL注入攻擊! –
這就是我說的我該如何改進它,並實現上述結果..人們應該在投票前充分閱讀問題 – panman
也許他們投下因爲你沒有閱讀谷歌的第一頁[「如何避免SQL注射在C#「](https://www.google.com.mx/search?q=how+to+avoid+sql+injection+in+c%23&ie=utf-8&oe=utf-8&gws_rd=cr&ei=ita8Vq- yE4S1-QHcxKfwDQ) –