I'm new to SQL and visual studio etc. but I've changed something that isn't allowing me to login to my application. Whenever I press the login button I get this error
我是SQL和视觉工作室等的新手,但我改变了一些不允许我登录我的应用程序的东西。每当我按下登录按钮时,我都会收到此错误
Incorrect syntax near the keyword 'from'
关键字'from'附近的语法不正确
Here is where the source may be;
这是源可能的地方;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;
namespace RockPaperApp
{
public partial class WebForm1 : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (Session["New"] != null)
{
Response.Redirect("/Game.aspx");
}
}
protected void RegButton_Press(object sender, EventArgs e)
{
Response.Redirect("/Register.aspx");
}
protected void LogButton_Press(object sender, EventArgs e)
{
string username = UsernameLogTxt.Text;
try
{
string conn = ConfigurationManager.ConnectionStrings["UserConS"].ToString();
string CommandText = "pword from data Username=@username";
using (SqlConnection connection = new SqlConnection(conn.ToString()))
using (SqlCommand command = new SqlCommand(CommandText, connection))
{
command.Parameters.AddWithValue("@username", username);
connection.Open();
using (SqlDataReader reader = command.ExecuteReader())
{
while (reader.Read())
{
string realpass = reader[0].ToString();
if (realpass != PasswordLogTxt.Text)
{
Response.Write("<span style='color:red'>A Wrong Username of Password has been entered.</span>");
}
else
{
Session["New"] = UsernameLogTxt.Text;
Response.Redirect("/Game.aspx");
}
}
if (!reader.HasRows)
{
Response.Write("No such username exists.");
}
}
connection.Close();
}
}
catch (SqlException ex)
{
Response.Write( ex.Message);
}
}
protected void Button1_Click(object sender, EventArgs e)
{
Response.Redirect("Register.aspx");
}
}
}
2 个解决方案
#1
2
This isn't a valid SQL query:
这不是有效的SQL查询:
"pword from data Username=@username"
Maybe you copied/pasted part of a query when you meant to copy/paste the whole thing? It doesn't even look like a valid part of a query, though.
当你打算复制/粘贴整个东西时,你是否复制/粘贴了部分查询?但它看起来甚至不像查询的有效部分。
The error is telling you that the problem is at keyword from
because that's the first thing it encounters after the error. For SQL errors, always look at the very last thing that was parsed before the location of the error, that last thing is what caused it. In this case the keyword pword
caused it, since that's not a valid keyword or identifier in SQL and the query parser couldn't make sense of it.
错误告诉您问题出在关键字上,因为这是错误发生后遇到的第一件事。对于SQL错误,请始终查看错误位置之前解析的最后一件事,最后一件事是导致它的原因。在这种情况下,关键字pword导致了它,因为它不是SQL中的有效关键字或标识符,并且查询解析器无法理解它。
Side note: All too often on Stack Overflow we have to lecture developers, new and experienced alike, for SQL injection vulnerabilities. This is a rare chance where I get to personally commend you for taking the initiative to use parameterized queries despite your relatively new experience level. I'm genuinely impressed, please keep up the good work!
旁注:在Stack Overflow上,我们不得不向开发人员,新人和经验丰富的人员讲述SQL注入漏洞。尽管你有相对较新的经验水平,但这是一个难得的机会,我个人赞扬你主动使用参数化查询。我真的很感动,请保持良好的工作!
Another side note: Though, you are also storing passwords in plain text, which is a very very bad thing. It's better to hash the password and store the hash. Then when a user enters a password, hash what they enter and compare it against the stored hash. Once you get this working, I hope you address that as well :)
另一方面说明:虽然,你也用纯文本存储密码,这是一件非常非常糟糕的事情。散列密码并存储散列更好。然后,当用户输入密码时,对他们输入的内容进行散列并将其与存储的散列进行比较。一旦你开始工作,我希望你也能解决这个问题:)
#2
1
Your SQL needs to be: SELECT pword FROM data WHERE Username=@username
.
您的SQL需要是:SELECT pword FROM data WHERE Username = @ username。
The capitalization of the keywords (SELECT
, FROM
, WHERE
) doesn't matter.
关键字(SELECT,FROM,WHERE)的大小写无关紧要。
#1
2
This isn't a valid SQL query:
这不是有效的SQL查询:
"pword from data Username=@username"
Maybe you copied/pasted part of a query when you meant to copy/paste the whole thing? It doesn't even look like a valid part of a query, though.
当你打算复制/粘贴整个东西时,你是否复制/粘贴了部分查询?但它看起来甚至不像查询的有效部分。
The error is telling you that the problem is at keyword from
because that's the first thing it encounters after the error. For SQL errors, always look at the very last thing that was parsed before the location of the error, that last thing is what caused it. In this case the keyword pword
caused it, since that's not a valid keyword or identifier in SQL and the query parser couldn't make sense of it.
错误告诉您问题出在关键字上,因为这是错误发生后遇到的第一件事。对于SQL错误,请始终查看错误位置之前解析的最后一件事,最后一件事是导致它的原因。在这种情况下,关键字pword导致了它,因为它不是SQL中的有效关键字或标识符,并且查询解析器无法理解它。
Side note: All too often on Stack Overflow we have to lecture developers, new and experienced alike, for SQL injection vulnerabilities. This is a rare chance where I get to personally commend you for taking the initiative to use parameterized queries despite your relatively new experience level. I'm genuinely impressed, please keep up the good work!
旁注:在Stack Overflow上,我们不得不向开发人员,新人和经验丰富的人员讲述SQL注入漏洞。尽管你有相对较新的经验水平,但这是一个难得的机会,我个人赞扬你主动使用参数化查询。我真的很感动,请保持良好的工作!
Another side note: Though, you are also storing passwords in plain text, which is a very very bad thing. It's better to hash the password and store the hash. Then when a user enters a password, hash what they enter and compare it against the stored hash. Once you get this working, I hope you address that as well :)
另一方面说明:虽然,你也用纯文本存储密码,这是一件非常非常糟糕的事情。散列密码并存储散列更好。然后,当用户输入密码时,对他们输入的内容进行散列并将其与存储的散列进行比较。一旦你开始工作,我希望你也能解决这个问题:)
#2
1
Your SQL needs to be: SELECT pword FROM data WHERE Username=@username
.
您的SQL需要是:SELECT pword FROM data WHERE Username = @ username。
The capitalization of the keywords (SELECT
, FROM
, WHERE
) doesn't matter.
关键字(SELECT,FROM,WHERE)的大小写无关紧要。