1
在我的应用程序中,我想使用UPDATE命令来更新多个MySQL列。我用下面的代码尝试了它,但我知道它确实不安全。因为它导致了SQL注入攻击。但我不知道如何编写带有参数的查询来更新多个MySQL列。使用参数化更新命令更新多个mysql列
这是我的代码:
string constring = string.Format("datasource='{0}';port='{1}';database='{2}';username=claimsprologin;password=xxxxxxxxxxxxxxxx;Connect Timeout=180;Command Timeout=180", serveriplable.Text, portno.Text, databasenamelable.Text);
string Query = "update claimloans set loannumber= '" + this.loannumbertextbox.Text.Trim() + " ', pool = '" + this.loanpooltextbox.Text.Trim() + "' , disblid = '" + this.disbidtextbox.Text.Trim() + "' , category = '" + this.categorytxtbox.Text.Trim() + " ', subcacategory = '" + this.subcategorytxtbox.Text.Trim() + " ', invoice = '" + this.invoicenumbertextbox.Text.Trim() + " ', invoicedate = '" + this.invoicedatetextbox.Text.Trim() + " ', docs = '" + this.docscombobox.Text.Trim() + "' , where username = '" + this.usernamelable.Text.Trim() + "' ;";
MySqlConnection conwaqDatabase = new MySqlConnection(constring);
MySqlCommand cmdwaqDatabase = new MySqlCommand(Query, conwaqDatabase);
MySqlDataReader myreader;
try {
conwaqDatabase.Open();
myreader = cmdwaqDatabase.ExecuteReader();
while (myreader.Read()) { }
MessageBox.Show("Credential informations are updated");
conwaqDatabase.Close();
}
catch {
}
为什么不使用参数化查询? – vortex 2014-11-04 14:22:36