首页 新闻 搜索 专区 学院

登录程序报错

0
[待解决问题]

  private void button1_Click(object sender, EventArgs e)
        {


            string a = textBox1.Text;

            int b = int.Parse(textBox2.Text);
            bool bl = ceshi(a, b);
                   if (bl)
            {

                MessageBox.Show("成功");
            }
            else
            {

                MessageBox.Show("SHIBAI");
            }
        }
        public bool ceshi(string a, int b)
        {

            string sqlconnectionstring = "server=localhost;database=ceshi;integrated security=SSPI";
            SqlConnection con = new SqlConnection(sqlconnectionstring);
            con.Open();
            //string commandtext = "select * from Table_1 where name=@name and passward=@passward";

            string commandtext = "select * from Table_1 where name=" + a + "and passward=" + b;

            SqlCommand cmd = new SqlCommand(commandtext, con);
            //cmd.Parameters.Add("@name", SqlDbType.VarChar);
            //cmd.Parameters["@name"].Value = "a";
            //cmd.Parameters.Add("@passward", SqlDbType.Int);
            //cmd.Parameters["@passward"].Value = b;

            //SqlDataAdapter adapter = new SqlDataAdapter(cmd);
            //DataSet ds = new DataSet();
            //adapter.Fill(ds);
            //return ds.Tables.Count;
            SqlDataReader reader = cmd.ExecuteReader();
           
            //return reader.HasRows;
            if (reader.Read())
            {
                return true;
            }
            else
            {
                return false;
            }
            con.Close();
           
        }我在数据库建的字段name 为varchar,passward为int,提示说passward附近有错误

问题补充: string commandtext = "select * from Table_1 where name='" + a + "' and passward=" + b 请问我注释的代码可以实现吗,有没有错误
870087629的主页 870087629 | 初学一级 | 园豆:170
提问于:2010-09-15 17:12
< >
分享
所有回答(7)
0

string commandtext = "select * from Table_1 where name='" + a + "' and passward=" + b;

 

name是varchar 就要''

而且与and之间要一个空格

风浪 | 园豆:2861 (老鸟四级) | 2010-09-15 17:23
0

string commandtext = "select * from Table_1 where name=" + a + "and passward=" + b;

 

a前后加单引号

nabber | 园豆:479 (菜鸟二级) | 2010-09-15 17:23
0

字符串类型要加单引号,其它不加。

PS:密码怎么会为整型呢。

Astar | 园豆:40805 (高人七级) | 2010-09-15 17:34
0

string类型加上‘  ’

顾晓北 | 园豆:9963 (大侠五级) | 2010-09-15 17:56
0

原: string commandtext = "select * from Table_1 where name=" + a + "and passward=" + b;

新: string commandtext = "select * from Table_1 where name=’" + a +“' " + "and passward=" + b;

 

其实这样的字符串操作最好是用 StringBuilder 类来做。效率高些、也更节约资源。

HUHU慈悲 | 园豆:9973 (大侠五级) | 2010-09-15 20:12
0

好好的参数化查询的代码,楼主不用,还非要去拼SQL,为啥呢?

 

如果你的sql里已经用单引号将name括起来了,那你可以开始考虑注入的问题了,比如用户名里是不是有单引号?这样拼SQL是很危险的.

I,Robot | 园豆:9461 (大侠五级) | 2010-09-16 12:17
0

string commandtext = "select * from Table_1 where name='" + a + "' and passward=" + b"';

 

我刚学的时候碰见股这样的问题

后来先在SQLSercer试验好语句再加到VS里边

 

再后来,熟悉了就直接写了

呵呵

编程浪子_ | 园豆:348 (菜鸟二级) | 2010-09-16 23:45
清除回答草稿
   您需要登录以后才能回答,未注册用户请先注册