---这是个人使用,所以不用担心有关SQL注入---在C#中逃脱逗号,冒号和单引号与MySQL
我已经通过几个教程在MySQL转义浏览C#,但找不到一个适用于我(也许我只是使用它不正确)
我试图插入数据到MySQL数据库。
下面的代码:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Net;
using System.IO;
using System.Security.Cryptography;
using MySql.Data;
using MySql.Data.MySqlClient;
namespace HASHSITE
{
class Program
{
static void Main(string[] args)
{
bool success;
int done = 0;
string path = @"C:\Users\somePC\Documents\someFolder\somefile.txt";
string server = "someIP";
string database = "some_db";
string uid = "some_dbu";
string password = "pass";
string connectionstring = "SERVER=" + server + ";DATABASE=" + database + ";UID=" + uid + ";PASSWORD=" + password + ";";
using (var connection = new MySqlConnection(connectionstring))
{
connection.Open();
using (var cmd = new MySqlCommand("INSERT INTO databases(data) VALUES(@name)", connection))
{
var parameter = cmd.Parameters.Add("@name", MySqlDbType.LongText);
foreach(string line in File.ReadLines(path))
{
success = false;
while (!success)
{
parameter.Value = line;
cmd.ExecuteNonQuery(); //ERROR IS HERE
success = true;
}
done += 1;
Console.WriteLine("\n" + done);
}
}
}
}
}
}
我需要转义出现在串线逗号是
name,[email protected]
错误:
Additional information: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'databases(data) VALUES
编写代码像这是第一步** SQL注入**。使用参数绑定。 – lad2025
嘿@ lad2025我个人使用它来上传一些数据。它不会被分发,所以SQL注入现在不是问题 –
由于串联字符串而造成问题。只需绑定参数,你不需要转义它。 – lad2025