我正在做一个可以从数据库中添加和搜索人员的程序。所有功能现在都可以使用,但我想防止 SQL 注入。有任何想法吗?感谢您的帮助!
这是搜索功能:
public static void SearchAll() //Söka fram alla deltagare och visa det i rutan på skärmen.
{
Form1.result = "";
connectionString = @"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Carlo\Desktop\Projekt\Examensarbete 2018\AdminPanel\AdminPanel\employees.mdf;Integrated Security=True";
sql = "SELECT * FROM [employee]";
cnn = new SqlConnection(connectionString);
cnn.Open();
cmd = new SqlCommand(sql, cnn);
reader = cmd.ExecuteReader();
while (reader.Read())
{
Form1.result += "Email: " + reader.GetValue(1) + Environment.NewLine;
Form1.result += "First name: " + reader.GetValue(2) + Environment.NewLine;
Form1.result += "Last name: " + reader.GetValue(3) + Environment.NewLine;
Form1.result += "Address: " + reader.GetValue(4) + Environment.NewLine;
Form1.result += "Phonenumber: " + reader.GetValue(5) + Environment.NewLine;
Form1.result += "Jobtitle: " + reader.GetValue(7) + Environment.NewLine;
Form1.result += "Salary: " + reader.GetValue(6) + Environment.NewLine + Environment.NewLine;
}
}
这是添加功能:
public static void Add(string AddEmail, string AddFistName, string AddLastName, string AddAddress, string AddPhonenumber, string AddJobTitle, string AddSalary, string checkboxChecker) //Lägg til en deltagare funktionen.
{
connectionString = @"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Carlo\Desktop\Projekt\Examensarbete 2018\AdminPanel\AdminPanel\employees.mdf;Integrated Security=True";
using(var conn = new SqlConnection(connectionString))
{
var cmd = new SqlCommand("insert into Employee (Email, FirstName, LastName, Address, Phonenumber, Salary, JobTitle, GDPR,StartDate) VALUES ('" + AddEmail + "','" + AddFistName + "','" + AddLastName + "','" + AddAddress + "','" + AddPhonenumber + "', '" + AddJobTitle + "', '" + AddSalary + "', '" + checkboxChecker + "', GETDATE())", conn);
conn.Open();
cmd.ExecuteNonQuery();
}
}
当我尝试这个时,我得到 System.NullReferenceException。我已尝试修复它,但我找不到问题所说的与“电子邮件”有关的问题。
public static void LoginChecker(string email, string Password) //Funktionen som kollar ifall man får logga in eller inte.
{
Form1.result = "";
failedCounter = 3;
connectionString = @"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Carlo\Desktop\Projekt\Examensarbete 2018\AdminPanel\AdminPanel\employees.mdf;Integrated Security=True";
sql = "SELECT * FROM Login WHERE UserName = @email AND Password = @password ";
cmd.Parameters.AddWithValue("@email", email);
cmd.Parameters.AddWithValue("@password", Password); //the problem says to be here!!!!!!
cnn = new SqlConnection(connectionString);
cnn.Open();
cmd = new SqlCommand(sql, cnn);
reader = cmd.ExecuteReader();
if (reader.Read() == true) //Om det finns ett inlogg med rätt email och lösenord så kommer man in.
{
Form1.Log = "Successful";
}
else //Om det inte finns ett inlogg med det som skrivits in så kommer man inte in.
{
Form1.Log = "Failed";
}
}