Odac ORA-00911:无效字符(Odac ORA-00911: invalid character)
我正在编写一个连接到ODAC的C#代码。 我认为我的查询没有错误,但我得到这个错误,我不知道如何解决。
这是我的疑问
comm.CommandText = "SELECT * FROM ZAEDBA WHERE USER_ID = '" + login_id + "' AND APPID = '" + app_id + "' ;";任何人都可以弄清楚这里有什么问题吗?
I am writing a C# code that connects to ODAC. I think my query got no errors, but I get this error, I don't know how to solve.
This is my query
comm.CommandText = "SELECT * FROM ZAEDBA WHERE USER_ID = '" + login_id + "' AND APPID = '" + app_id + "' ;";Can any one figure out what is wrong in here?
最满意答案
您的查询容易受到称为SQL注入的安全问题的影响!
你永远不应该使用字符串连接来构建字符串查询(一些SQL,一些参数)...使用始终参数化的查询...
示例代码:
comm.BindByName = true; comm.CommandText = "SELECT * FROM ZAEDBA WHERE USER_ID = :login_id AND APPID = :app_id"; comm.Parameters.AddWithValue ("login_id", login_id); comm.Parameters.AddWithValue ("app_id", app_id);Your query is vulnerable for a security issue called SQL injection!
You should NEVER use string concatenation for building a query from strings (some SQL, some parameters)... Use always parameterized queries...
Sample code:
comm.BindByName = true; comm.CommandText = "SELECT * FROM ZAEDBA WHERE USER_ID = :login_id AND APPID = :app_id"; comm.Parameters.AddWithValue ("login_id", login_id); comm.Parameters.AddWithValue ("app_id", app_id);更多推荐
发布评论