OleDbException: Data type mismatch in criteria expression what to do?

StackOverflow https://stackoverflow.com/questions/22511582

  •  17-06-2023
  •  | 
  •  

문제 

public string checkUsername(string username, string password)
        {
            string result = "invalid username/password";
            string connectionString = 
                "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" + Server.MapPath("~\\myDB\\database.mdb");
            string queryString = "SELECT * FROM Table WHERE [username]='" + username + "' AND [password]='" + password + "';";

            using (OleDbConnection connection = new OleDbConnection(connectionString))
            {

                connection.Open();
                OleDbCommand command = connection.CreateCommand();
                command.CommandText = queryString;

                OleDbDataReader reader = command.ExecuteReader();
                try
                {
                    while (reader.Read())
                    {
                        result = "";
                    }
                }
                finally
                {
                    reader.Close();
                    connection.Close();
                }
            }
            return result;
        }

System.Data.OleDb.OleDbException: Data type mismatch in criteria expression. pointing around this line:

OleDbDataReader reader = command.ExecuteReader();
                try
                {
                    while (reader.Read())

wanted to try:

cmd.Parameters.AddWithValue("@password", txtBoxPassword.Text);

but that "txtBoxPassword" doesnt exist in current context.

just learned c# for few months now but still need guidance.

도움이 되었습니까?

해결책

The way you have your SQL statement, you are wide open for SQL injection. It should be parameterized as you were optionally shooting for... Put that as your statement.

SELECT * FROM Table WHERE [username]=@parmUserName AND [password]=@parmPassword

Then, add your parameters as you were going for, but you should probably clean them too for sanity purposes. Here, the inbound parameters of username, password are NOT the column names for the query. You are setting these VALUES into the parameter objects.

cmd.Parameters.AddWithValue ( "@parmUserName", username);
cmd.Parameters.AddWithValue ( "@parmPassword", password);
라이센스 : CC-BY-SA ~와 함께 속성
제휴하지 않습니다 StackOverflow
scroll top