为什么这个命令不能正常执行:
using (MySqlCommand myCommand = new MySqlCommand("Update jobs SET poster_email = '@1', url = '@2' WHERE company = '@3'; ", myConn))
{
myCommand.Parameters.AddWithValue("@1", email);
myCommand.Parameters.AddWithValue("@2", url);
myCommand.Parameters.AddWithValue("@3", company);
myConn.Open();
myCommand.ExecuteNonQuery();
}
但是当我用实际值替换 @3 时,它起作用了:
using (MySqlCommand myCommand = new MySqlCommand("Update jobs SET poster_email = '@1', url = '@2' WHERE company = 'MyCompany'; ", myConn))
{
myCommand.Parameters.AddWithValue("@1", email);
myCommand.Parameters.AddWithValue("@2", url);
myConn.Open();
myCommand.ExecuteNonQuery();
}
为 company 变量传入的值与第二个示例中硬编码的值相同。我已经逐步使用调试器来确保将 company 变量添加为参数并且它是我期望的值。 IE。没有空格和 trim()
知道我做错了什么吗?
更新:
这也行,但我不得不担心 Sql 注入(inject)...
string myQuery = string.Format("Update jobs SET poster_email = '{0}', url = '{1}' WHERE company = '{2}'; ", email, url, company);
using (MySqlCommand myCommand = new MySqlCommand(myQuery, myConn))
{
myConn.Open();
myCommand.ExecuteNonQuery();
}
最佳答案
我相信对于 MySQL 命令你想使用“?”而不是“@”:
using (MySqlCommand myCommand = new MySqlCommand("Update jobs SET poster_email = '?1', url = '?2' WHERE company = '?3'; ", myConn))
{
myCommand.Parameters.AddWithValue("?1", email);
myCommand.Parameters.AddWithValue("?2", url);
myCommand.Parameters.AddWithValue("?3", company);
myConn.Open();
myCommand.ExecuteNonQuery();
}
关于asp.net - 从 asp.net 执行 MySql 查询,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/5080898/