I am trying to execute a INSERT statement on a mySQL DB in C#:
string value1 = "INSERT INTO new_t(id, bid, idate,ino,int,icy) " +
"VALUES ('" + id + "', '" + bid + "', '" + idate + "', '" + ino + "', '" + int + "', 'ee')";
string result = true;
try
{
if (dbConnection.State == System.Data.ConnectionState.Open)
{
MySqlCommand myCmd = new MySqlCommand(value1, dbConnection);
if (myCmd.ExecuteNonQuery() == 0)
result = false;
}
}
catch (NotImplementedException ex)
{
MsgBox("1 " + ex.Message + DateTime.Now);
throw new NotImplementedException();
}
catch (Exception ex)
{
MsgBox("2 " + ex.Message + DateTime.Now);
throw new Exception();
}
return result;
}
This fails with the error: mysql Fatal error encountered during command execution. Any ideas on why this would fail?
What I have tried:
i have try in local DB, but can't get this error. this error only appear in when connect to other PC DB via IP.
解决方案
No help can be provided because we need to know the types and values of id, bid, idate, ino and int.
You also need to show the contain of value1 because your method to pass parameters is subject to a problem called code injection.
SQL Injection[^]
SQL injection - Wikipedia, the free encyclopedia[^]
Nota: it is a bad idea to use a variable type as a variable name.