使用文本框限制 SQL 查询

huangapple go评论73阅读模式
英文:

Using textbox in limit sql query

问题

"Normally I've been using these statement and it works :

\"SELECT * FROM tablename LIMIT 10\" 

And I've tried this but it has errors saying error in sql syntax

\"SELECT * FROM tablename LIMIT '" + TextBox1.Text + "'\" "
英文:

Normally I've been using these statement and it works :

"SELECT * FROM tablename LIMIT 10"

And I've tried this but it has errors saying error in sql syntax

"SELECT * FROM tablename LIMIT '" + TextBox1.Text + "' "

答案1

得分: 0

The translated content is as follows:

看看第一个有效的语句没有引号,而第二个无效的语句有引号?你需要按照第一个语句的模式来操作。

然而,你需要将 TextBox1.Text 解析为整数,然后将其连接到字符串中,以防止 SQL 注入攻击,所以...

Dim lim = Integer.Parse(TextBox1.Text)
Dim sql = "SELECT * FROM [tablename] LIMIT " & lim

你可能希望使用 TryParse 来检查是否提供了有效的数字。

(此外,在 VB.NET 中,字符串连接运算符是 &,而不是 +。)

英文:

See how the first statement, which works, has no quotes and the second one, which does not work, does? You need to follow the pattern of the first one.

However, you need to parse TextBox1.Text into an integer and concatenate that into the string to prevent SQL injection attacks, so...

Dim lim = Integer.Parse(TextBox1.Text)
Dim sql = "SELECT * FROM [tablename] LIMIT " & lim

You may want to use TryParse instead to check a valid number was supplied.

(Also, the string concatenation operator in VB.NET is &, not +.)

huangapple
  • 本文由 发表于 2023年5月11日 16:32:42
  • 转载请务必保留本文链接:https://go.coder-hub.com/76225634.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定