0

Here is the cs file:

public int CheckExisting(String sqlDbQry, String sTable)
    {
        Qry = sqlDbQry;
        con = new OleDbConnection(connectionstr);
        if (con.State == ConnectionState.Open)
            con.Close();
        con.Open();
        cmd = new OleDbCommand(Qry, con);
        dr = cmd.ExecuteReader();
        while (dr.Read())
            rQry = Convert.ToInt32(dr[0].ToString());
        con.Close();
        return rQry;
    }

Here is my another cs:

protected void btnsub_Click(object sender, EventArgs e)
        {
            if (objAdmin.CheckExisting("SELECT COUNT(*) FROM registration where Email='" + Textemail.Text.Trim() + "'", "Temp") > 0)
            {
                lblmail.Text = "Your EmailId already Registered, Please Login!";
                return;
            }
            if (objAdmin.CheckExisting("SELECT COUNT(*) FROM registration where Phone_num='" + Textphone.Text.Trim() + "'", "Temp") > 0)
            {
                lblmail.Text = "Mobile number already exists, Please Login!";

                return;
            }
}

When i enter input details and hit submit, it shows error something like this,

Here is the error of Screenshot

Can anyone help me to fix this?

4

4 回答 4

2

您正在从标记为“电子邮件”的文本框中手动构建 sql 字符串。电子邮件地址通常包含一个“@”。因为您正在构建原始 sql 查询,所以您将“@”直接放入查询中。 OleDb将其解释为 SQL 参数,并希望您提供它,而您不是,这就是导致错误的原因。如果您的任何文本框包含 '(单引号),您将收到类似的错误。

您应该考虑使用OleDbCommandOleDbParameter来传递参数,而不是发送原始字符串。这也将修复其他人提到的您的 sql 注入攻击漏洞。

于 2015-10-26T16:28:15.550 回答
0

我不能编辑你的帖子,所以我在这里做。

public int CheckExisting(String sqlDbQry, String sTable)
{
    try
    {
        Qry = sqlDbQry;
        con = new OleDbConnection(connectionstr);
        if (con.State == ConnectionState.Open)
            con.Close();
        con.Open();
        cmd = new OleDbCommand(Qry, con);
        dr = cmd.ExecuteReader();
        while (dr.Read())
            rQry = Convert.ToInt32(dr[0].ToString());
        con.Close();
        return rQry;
    }
    catch (OleDbException ex)
    {
        string message = ex;
        //put your message on a texbox or alert handler error on the web
        //or while debugging use a breakpoint on the exception handler
        //use log
        Console.WriteLine(message);
    }
}
于 2015-10-26T16:27:52.343 回答
0

请记住,对于 OleDb,参数是位置的,而不是命名的。您可以命名参数,但不能在命令中使用 @ 语法(它会引发关于需要声明标量变量的错误)...正确的语法是使用 ? ...它将按照您添加参数的顺序获取参数。

此外,我更喜欢 .AddWithValue 语法,我认为它更具可读性。

于 2015-10-26T16:48:01.270 回答
-1 
protected void btnsub_Click(object sender, EventArgs e)
    {
        if (objAdmin.CheckExisting("SELECT COUNT(*) FROM registration where Email='" + this.Textemail.Text.Trim() + "'", "Temp") > 0)
        {
            lblmail.Text = "Your EmailId already Registered, Please Login!";
            return;
        }
        if (objAdmin.CheckExisting("SELECT COUNT(*) FROM registration where Phone_num='" + this.Textphone.Text.Trim() + "'", "Temp") > 0)
        {
            lblmail.Text = "Mobile number already exists, Please Login!";

            return;
        }

}

只需输入 this.Textemail.Text 和 this.Textphone.Text ,希望对您有所帮助。

于 2015-10-26T16:37:22.940 回答