OleDbException: Data type mismatch in criteria expression what to do?

StackOverflow https://stackoverflow.com/questions/22511582

  •  17-06-2023
  •  | 
  •  

質問 

public string checkUsername(string username, string password)
        {
            string result = "invalid username/password";
            string connectionString = 
                "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" + Server.MapPath("~\\myDB\\database.mdb");
            string queryString = "SELECT * FROM Table WHERE [username]='" + username + "' AND [password]='" + password + "';";

            using (OleDbConnection connection = new OleDbConnection(connectionString))
            {

                connection.Open();
                OleDbCommand command = connection.CreateCommand();
                command.CommandText = queryString;

                OleDbDataReader reader = command.ExecuteReader();
                try
                {
                    while (reader.Read())
                    {
                        result = "";
                    }
                }
                finally
                {
                    reader.Close();
                    connection.Close();
                }
            }
            return result;
        }

System.Data.OleDb.OleDbException: Data type mismatch in criteria expression. pointing around this line:

OleDbDataReader reader = command.ExecuteReader();
                try
                {
                    while (reader.Read())

wanted to try:

cmd.Parameters.AddWithValue("@password", txtBoxPassword.Text);

but that "txtBoxPassword" doesnt exist in current context.

just learned c# for few months now but still need guidance.

役に立ちましたか?

解決

The way you have your SQL statement, you are wide open for SQL injection. It should be parameterized as you were optionally shooting for... Put that as your statement.

SELECT * FROM Table WHERE [username]=@parmUserName AND [password]=@parmPassword

Then, add your parameters as you were going for, but you should probably clean them too for sanity purposes. Here, the inbound parameters of username, password are NOT the column names for the query. You are setting these VALUES into the parameter objects.

cmd.Parameters.AddWithValue ( "@parmUserName", username);
cmd.Parameters.AddWithValue ( "@parmPassword", password);
ライセンス: CC-BY-SA帰属
所属していません StackOverflow
scroll top