OleDbException: Data type mismatch in criteria expression what to do?

StackOverflow https://stackoverflow.com/questions/22511582

  •  17-06-2023
  •  | 
  •  

public string checkUsername(string username, string password)
        {
            string result = "invalid username/password";
            string connectionString = 
                "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" + Server.MapPath("~\\myDB\\database.mdb");
            string queryString = "SELECT * FROM Table WHERE [username]='" + username + "' AND [password]='" + password + "';";

            using (OleDbConnection connection = new OleDbConnection(connectionString))
            {

                connection.Open();
                OleDbCommand command = connection.CreateCommand();
                command.CommandText = queryString;

                OleDbDataReader reader = command.ExecuteReader();
                try
                {
                    while (reader.Read())
                    {
                        result = "";
                    }
                }
                finally
                {
                    reader.Close();
                    connection.Close();
                }
            }
            return result;
        }

System.Data.OleDb.OleDbException: Data type mismatch in criteria expression. pointing around this line:

OleDbDataReader reader = command.ExecuteReader();
                try
                {
                    while (reader.Read())

wanted to try:

cmd.Parameters.AddWithValue("@password", txtBoxPassword.Text);

but that "txtBoxPassword" doesnt exist in current context.

just learned c# for few months now but still need guidance.

有帮助吗?

解决方案

The way you have your SQL statement, you are wide open for SQL injection. It should be parameterized as you were optionally shooting for... Put that as your statement.

SELECT * FROM Table WHERE [username]=@parmUserName AND [password]=@parmPassword

Then, add your parameters as you were going for, but you should probably clean them too for sanity purposes. Here, the inbound parameters of username, password are NOT the column names for the query. You are setting these VALUES into the parameter objects.

cmd.Parameters.AddWithValue ( "@parmUserName", username);
cmd.Parameters.AddWithValue ( "@parmPassword", password);
许可以下: CC-BY-SA归因
不隶属于 StackOverflow
scroll top