-5
protected void Button1_Click(object sender, EventArgs e)
{
MySqlConnection connection = new MySqlConnection(ConfigurationManager.ConnectionStrings["myconstring"].ConnectionString);
connection.Open();
symptons = String.Join(", ", CheckBoxList1.Items.Cast<ListItem>().Where(i => i.Selected).Select(i => i.Value).ToArray());
Label3.Text = symptons;
if(symptons!="")
{
MySqlCommand cmd = new MySqlCommand("select d.dname from disease d inner join diseasesymptom ds on ds.did = d.did inner join symptom s on s.sid = ds.sid where s.sname in (" + symptons + ")", connection);
using (MySqlDataAdapter sda = new MySqlDataAdapter())
{
cmd.Connection = connection;
sda.SelectCommand = cmd;
using (DataTable dt = new DataTable())
{
sda.Fill(dt);
GridView1.DataSource = dt;
GridView1.DataBind();
}
}
}
else
{
Label2.Text = "select at least one symptom";
}
}
我知道我对我自己的代码排序进行SQL注入那么,如何防止这种情况, 基本上有3个表:有没有更有效的方法来写这个SQL代码?
- disease_table [栏=(disease_id,disease_name)
- symptom_table [列=](symptom_id,symptom_name)
- disease_symptom [列=](disease_id,symptom_id)
有一个复选框列表我的网页上有症状,其中文本=发烧,值=“发烧” ..等等这样做的理由是,用户可以选择任意数量的复选框,并在条款不接受参数
**警告**您的代码极易遭受SQL注入攻击! –
这就是我说的我该如何改进它,并实现上述结果..人们应该在投票前充分阅读问题 – panman
也许他们投下因为你没有阅读谷歌的第一页[“如何避免SQL注射在C#“](https://www.google.com.mx/search?q=how+to+avoid+sql+injection+in+c%23&ie=utf-8&oe=utf-8&gws_rd=cr&ei=ita8Vq- yE4S1-QHcxKfwDQ) –