Odac ORA

Odac ORA-00911：无效字符(Odac ORA-00911: invalid character)

我正在编写一个连接到ODAC的C＃代码。 我认为我的查询没有错误，但我得到这个错误，我不知道如何解决。

这是我的疑问

comm.CommandText = "SELECT * FROM ZAEDBA WHERE USER_ID = '" + login_id + "' AND APPID = '" + app_id + "' ;";

任何人都可以弄清楚这里有什么问题吗？

I am writing a C# code that connects to ODAC. I think my query got no errors, but I get this error, I don't know how to solve.

This is my query

comm.CommandText = "SELECT * FROM ZAEDBA WHERE USER_ID = '" + login_id + "' AND APPID = '" + app_id + "' ;";

Can any one figure out what is wrong in here?

最满意答案

您的查询容易受到称为SQL注入的安全问题的影响！

你永远不应该使用字符串连接来构建字符串查询（一些SQL，一些参数）...使用始终参数化的查询...

示例代码：

comm.BindByName = true; comm.CommandText = "SELECT * FROM ZAEDBA WHERE USER_ID = :login_id AND APPID = :app_id"; comm.Parameters.AddWithValue ("login_id", login_id); comm.Parameters.AddWithValue ("app_id", app_id);

Your query is vulnerable for a security issue called SQL injection!

You should NEVER use string concatenation for building a query from strings (some SQL, some parameters)... Use always parameterized queries...

Sample code:

comm.BindByName = true; comm.CommandText = "SELECT * FROM ZAEDBA WHERE USER_ID = :login_id AND APPID = :app_id"; comm.Parameters.AddWithValue ("login_id", login_id); comm.Parameters.AddWithValue ("app_id", app_id);