必须声明标量变量“@UserName”
我一直收到一个我不明白的错误。 必须声明标量变量“@varname”
经过数小时的研究,尝试了多种解决方案而无需成功。
我的目标是创建一个使用2个文本框和一个按钮的登录页面,它根据存储在Sql数据库中的信息检查用户是否退出。
这是我认为问题来自的地方:
private bool DBConnection(string userName, string password) { SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString); //string cmdString = ("SELECT UserName, Password FROM Users WHERE UserName ='" + userName + // "'AND Password ='" + password + "'"); //REMOVED AS THIS IS PRONE TO SQL INJECTIONS string cmdString = ("SELECT * FROM Users WHERE UserName = @uname AND Password = @pw"); SqlCommand cmd = new SqlCommand(cmdString, conn); cmd.Parameters.Add("uname", SqlDbType.VarChar).Value = userName; cmd.Parameters.Add("pw", SqlDbType.VarChar).Value = password; DataSet loginCredentials = new DataSet(); SqlDataAdapter dataAdapter; try { if (conn.State.Equals(ConnectionState.Closed)) { conn.Open(); dataAdapter = new SqlDataAdapter(cmdString, conn); dataAdapter.Fill(loginCredentials); conn.Close(); if (loginCredentials != null) { if (loginCredentials.Tables[0].Rows.Count > 0) { return true; } else { lblMessage.Text = "Incorrect Username or Password"; lblMessage.Visible = true; } } } } catch (Exception err) { lblMessage.Text = err.Message.ToString() + " Error connecting to the Database // " + cmd.Parameters.Count; lblMessage.Visible = true; return false; } return false; } 具体在哪里“dataAdapter.Fill(loginCredentials);” 正在执行。
注释掉的语句在使用正确的用户名和密码登录用户时成功运行,但据我所知,它不安全,因为它容易受到sql注入,这就是我试图参数化sql语句的原因。
错误截图如下: 
任何帮助,将不胜感激。
编辑:您应该将sqlcommand传递给dataAdapter,因为在您的情况下,sqlcommand(cmd)具有的信息不仅仅是commandtext和connectionstring。 您的代码可能如下所示:
private bool DBConnection(string userName, string password) { SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString); //string cmdString = ("SELECT UserName, Password FROM Users WHERE UserName ='" + userName + // "'AND Password ='" + password + "'"); //REMOVED AS THIS IS PRONE TO SQL INJECTIONS string cmdString = ("SELECT * FROM Users WHERE UserName = @uname AND Password = @pw"); SqlCommand cmd = new SqlCommand(cmdString, conn); cmd.Parameters.Add("uname", SqlDbType.VarChar).Value = userName; cmd.Parameters.Add("pw", SqlDbType.VarChar).Value = password; DataSet loginCredentials = new DataSet(); SqlDataAdapter dataAdapter; try { if (conn.State.Equals(ConnectionState.Closed)) { conn.Open(); dataAdapter = new SqlDataAdapter(cmd); dataAdapter.Fill(loginCredentials); conn.Close(); if (loginCredentials != null) { if (loginCredentials.Tables[0].Rows.Count > 0) { return true; } else { lblMessage.Text = "Incorrect Username or Password"; lblMessage.Visible = true; } } } } catch (Exception err) { lblMessage.Text = err.Message.ToString() + " Error connecting to the Database // " + cmd.Parameters.Count; lblMessage.Visible = true; return false; } return false; }
您需要将cmd传递给SqlDataAdapter构造函数而不是cmdString和conn对象。
cmd.Parameters.Add("@uname", SqlDbType.VarChar).Value = userName;
注意uname前面的@。
除了下面描述的所有错误(或者在这里;))..你正在传递命令行和数据适配器的连接,但是你正在填写你没有使用的命令的参数..;)所以你有几个错误……
最重要的是首先检查是否为特定变量分配了一些值,即
cmd.parameter.add(@YOUR_VARIABLE, sqlDbtype.TYPE).value = ValueYouwantToGIveToThatVariable;