MySQL 参数化查询的运行就像它在 C# 应用程序中没有参数化一样
MySQL parameterized query is functioning like it is not parameterized in C# application
我不断收到此错误:MySql.Data.MySqlClient.MySqlException:'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Feature: SecurityTesting @mytag Scenario: SQL Injection Given I visit ' 在第 1 行'
参数 Gherkin 是导致查询失败的参数。我都试过了?和@作为参数前缀,没有任何变化。
这是我的代码:
string CommandText = " INSERT INTO Feature(`Path`, Gherkin, RepoID, `Name`, Updated) VALUES (?Path, ?Gherkin , ?RepoID, ?Name, ?Updated) ON DUPLICATE KEY UPDATE Gherkin = VALUES(?Gherkin); ";
using (MySqlConnection connection = new MySqlConnection())
{
connection.ConnectionString = ConfigurationManager.ConnectionStrings["TAF_DB"].ConnectionString;
using (MySqlCommand command = new MySqlCommand())
{
var gherkinParam = new MySqlParameter("Gherkin", test.Gherkin);
//var gherkinParam = new MySqlParameter("Gherkin", MySqlDbType.VarChar);
var pathParam = new MySqlParameter("Path", MySqlDbType.VarChar);
var RepoIDParam = new MySqlParameter("RepoID", MySqlDbType.Int64);
var nameParam = new MySqlParameter("Name", MySqlDbType.VarChar);
var updatedParam = new MySqlParameter("Updated", MySqlDbType.VarChar);
gherkinParam.Value = test.Gherkin;
command.Parameters.Add(gherkinParam);
pathParam.Value = test.Path;
command.Parameters.Add(pathParam);
RepoIDParam.Value = test.RepoID;
command.Parameters.Add(RepoIDParam);
nameParam.Value = test.Name;
command.Parameters.Add(nameParam);
updatedParam.Value = test.Updated;
command.Parameters.Add(updatedParam);
command.Connection = connection;
command.CommandType = CommandType.Text;
command.CommandText = CommandText;
connection.Open();
command.ExecuteNonQuery();
connection.Close();
}
}
您应该在函数 VALUES()
中使用列的名称 Gherkin
而不是命名参数 ?Gherkin
:
UPDATE Gherkin = VALUES(Gherkin)