在 C# 中用 order by 连接 SQL
Concatenate SQL in C# with order by
我有这段代码我想写 ORDER BY DESC 但我不知道怎么写
有人可以帮忙吗
OleDbCommand cmd = new OleDbCommand("SELECT * FROM users WHERE [id] = " + Session_ID, conn2);
OleDbCommand cmd = new OleDbCommand("SELECT * FROM users
WHERE [id] = " + Session_ID + " ORDER BY ID DESC", conn2);
虽然上面可以工作,但有严重的缺陷。可以简单地在上面的 SQL 查询中进行 SQL 注入,因此强烈建议使用参数化查询来防止 @S.Akbari
所建议的 SQL 注入
首先,你应该知道这种代码是为SQL Injection and you should always use parameterized queries开放的,以避免SQL注入。像这样:
OleDbCommand cmd = new OleDbCommand("SELECT * FROM users WHERE [id] = ? " +
"ORDER BY ID DESC", conn2);
cmd.Parameters.Add(new OleDbParameter("@SessionID", Session_ID));
我有这段代码我想写 ORDER BY DESC 但我不知道怎么写
有人可以帮忙吗
OleDbCommand cmd = new OleDbCommand("SELECT * FROM users WHERE [id] = " + Session_ID, conn2);
OleDbCommand cmd = new OleDbCommand("SELECT * FROM users
WHERE [id] = " + Session_ID + " ORDER BY ID DESC", conn2);
虽然上面可以工作,但有严重的缺陷。可以简单地在上面的 SQL 查询中进行 SQL 注入,因此强烈建议使用参数化查询来防止 @S.Akbari
所建议的 SQL 注入首先,你应该知道这种代码是为SQL Injection and you should always use parameterized queries开放的,以避免SQL注入。像这样:
OleDbCommand cmd = new OleDbCommand("SELECT * FROM users WHERE [id] = ? " +
"ORDER BY ID DESC", conn2);
cmd.Parameters.Add(new OleDbParameter("@SessionID", Session_ID));