问题
I'm making an C# windows Form Application in visual studio 2010.
That application is connecting to an mysql database, and I want to insert data in it.
Now do I have this part of code:
MySqlConnection connection;
string cs = @"server=server ip;userid=username;password=userpass;database=databse";
connection = new MySqlConnection(cs);
connection.Open();
MySqlCommand command = new MySqlCommand();
string SQL = "INSERT INTO `twMCUserDB` (`mc_userName`, `mc_userPass`, `tw_userName`, `tw_userPass`) VALUES ('@mcUserName', '@mcUserPass', '@twUserName', '@twUserPass')";
command.CommandText = SQL;
command.Parameters.Add("@mcUserName", mcUserNameNew);
command.Parameters.Add("@mcUserPass", mcUserPassNew);
command.Parameters.Add("@twUserName", twUserNameNew);
command.Parameters.Add("@twUserPass", twUserPassNew);
command.Connection = connection;
command.ExecuteNonQuery();
connection.Close();
The connection is fine. That works.
I readed here that the way that I have now, is an save way to do query's. Is that still right?
And now to the real question. With that code above, I get the following warning in visual studio:
'MySql.Data.MySqlClient.MySqlParameterCollection.Add(string, object)' is obsolete: '"Add(String parameterName, Object value) has been deprecated. Use AddWithValue(String parameterName, Object value)"'
That warning is for every parameters.add
And it isn't even working, because the values that are inserted are @mcUserName, @mcUserPass and so on, instead of the values that the variables mcUserNameNew and so on are holding...
So my question is, am I doing something wrong, and what is the new way to sql injection save do an query?
回答1:
try AddWithValue
command.Parameters.AddWithValue("@mcUserName", mcUserNameNew);
command.Parameters.AddWithValue("@mcUserPass", mcUserPassNew);
command.Parameters.AddWithValue("@twUserName", twUserNameNew);
command.Parameters.AddWithValue("@twUserPass", twUserPassNew);
and don't wrap the placeholders with single quotes.
string SQL = "INSERT INTO `twMCUserDB` (`mc_userName`, `mc_userPass`, `tw_userName`, `tw_userPass`) VALUES (@mcUserName, @mcUserPass, @twUserName, @twUserPass)";
回答2:
Just edit/remove some code in this part
('@mcUserName', '@mcUserPass', '@twUserName', '@twUserPass')
to
(@mcUserName, @mcUserPass, @twUserName, @twUserPass)
and Add( to AddWithValue(
回答3:
Please read this article, advising you against using AddWithValue:
https://blogs.msmvps.com/jcoehoorn/blog/2014/05/12/can-we-stop-using-addwithvalue-already/
It says basically that AddWithValue could sometimes incorrectly infer the correct type. Use Add instead.
回答4:
@mcUserName has to match the mc_userName in the query ..
so your parm should be @mc_userName
回答5:
This is VB code...
cmd.Parameters.AddWithValue("@number", 1) 'set @number as numeric
cmd.Parameters.AddWithValue("@text", "this will be a text variable")
cmd.Parameters("@number").Value = 321 'now @number has a value
cmd.Parameters("@text").Value = "A string value" 'now @text has a value
cmd.ExecuteNonQuery()
来源:https://stackoverflow.com/questions/13580993/mysqlcommand-command-parameters-add-is-obsolete