【问题标题】:c# asp.net - inserting data into database( dont knw where iam goin wrong)c# asp.net - 将数据插入数据库(不知道我哪里出错了)
【发布时间】:2016-07-17 19:42:06
【问题描述】:

c# asp.net - 将数据插入数据库(不知道 iam 哪里出错了) - 此代码正在执行但根本不工作!我试图通过我创建的网站提供数据,但它根本不会反映在我的数据库中,请帮助!!!!

using System;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.Data.SqlClient;
public partial class _Default : System.Web.UI.Page

{
    SqlConnection con = new SqlConnection("Data Source=GARGI-PC\\ROOT;Initial Catalog=master;Integrated Security=True");
    protected void page_load(object sender, EventArgs e)
    {}

    public void refress()
    {

        comment1.Text = "";

        software1.Checked = true;

        hardware1.Checked = false;

        both1.Checked = false;

        others.Checked = false;
    }
    protected void btn(object sender, EventArgs e)
    {
        string type = string.Empty ;

        if (hardware1.Checked == true)
        {
            type =  "hardware";
        }
         if (software1.Checked == true)
        {
            type = "software";
        }
         if (both1.Checked == true)
        {
            type = "both";
        }
         if (others.Checked == true)
        {
            type = "others";
        }



        SqlCommand cmd = new SqlCommand("insert into main_page (type, discription,time) values('" + type + "','" + comment1.Text + "','" + "','"+"now()')", con);

        cmd.CommandType = CommandType.Text;

        try

        {

            con.Open();

            cmd.ExecuteNonQuery();

            con.Close();

            refress();

        }

        catch (Exception ex)

        { 

        }

    }

   public void btn_clear(object sender, EventArgs e)

    {
        refress();

    }

}

【问题讨论】:

    标签: c# mysql sql asp.net database


    【解决方案1】:

    您的 INSERT 语句中似乎有一个双逗号。

    + "','" + "','"
    

    INSERT 语句应如下所示:

    INSERT INTO main_page (type, description, time) VALUES ('Type', 'Description', NOW())
    

    此外,您也容易受到 SQL 注入的影响,您应该为 所有 输入 paramerterize your queries,而不是信任来自用户的数据。作为一个基本的例子:

    MySqlCommand command = new MySqlCommand("INSERT INTO main_page (Description) VALUES @Description");
    command.Parameters.AddWithValue("@Description", comment1.Text);
    

    如果用户在 Comment1 文本框中输入 SQL 语句,这将保护您。

    ArbitaryData; DROP TABLE main_page;
    

    【讨论】:

      【解决方案2】:

      您确实应该使用命令参数。在这里,试试这个作为例子:

      public static void AddSong(Songs s)
          {
              using (SqlConnection sqlcon = new SqlConnection(SQL_getConnectionString.conStr()))
              {
                  sqlcon.Open();
                  try
                  {
                      string query = "INSERT INTO Songs VALUES(@Id, @Name, @Artist, @Album, @TrackNumber, @TrackNumberCount, " +
                          "@Genre, @Rating, @Tags, @Subject, @Categories, @Comments, @FileName, @FolderName, @FolderPath, " +
                          "@FullPath, @Length, @PlayCount, @SkipCount, @LastPlayed)";
      
                      using (SqlCommand cmd = new SqlCommand(query, sqlcon))
                      {
                          cmd.Parameters.Add("@Id", SqlDbType.Int).Value = s.Id;
                          cmd.Parameters.Add("@Name", SqlDbType.VarChar, 250).Value = s.Name;
                          cmd.Parameters.Add("@Album", SqlDbType.VarChar, 250).Value = s.Album;
                          cmd.Parameters.Add("@Artist", SqlDbType.VarChar, 250).Value = s.Artist;
                          cmd.Parameters.Add("@TrackNumber", SqlDbType.Int).Value = s.TrackNumber;
                          cmd.Parameters.Add("@TrackNumberCount", SqlDbType.Int).Value = s.TrackNumberCount;
                          cmd.Parameters.Add("@Genre", SqlDbType.VarChar, 500).Value = s.Genre;
                          cmd.Parameters.Add("@Rating", SqlDbType.Int).Value = s.Rating;
                          cmd.Parameters.Add("@Tags", SqlDbType.VarChar, 500).Value = s.Tags;
                          cmd.Parameters.Add("@Subject", SqlDbType.VarChar, 500).Value = s.Subject;
                          cmd.Parameters.Add("@Categories", SqlDbType.VarChar, 500).Value = s.Categories;
                          cmd.Parameters.Add("@Comments", SqlDbType.VarChar, -1).Value = s.Comments;
                          cmd.Parameters.Add("@FileName", SqlDbType.VarChar, 500).Value = s.FileName;
                          cmd.Parameters.Add("@FolderName", SqlDbType.VarChar, 500).Value = s.FolderName;
                          cmd.Parameters.Add("@FolderPath", SqlDbType.VarChar, -1).Value = s.FolderPath;
                          cmd.Parameters.Add("@FullPath", SqlDbType.VarChar, -1).Value = s.FullPath;
                          cmd.Parameters.Add("@Length", SqlDbType.VarChar, 50).Value = s.Length;
                          cmd.Parameters.Add("@PlayCount", SqlDbType.Int).Value = s.PlayCount;
                          cmd.Parameters.Add("@SkipCount", SqlDbType.Int).Value = s.SkipCount;
                          cmd.Parameters.Add("@LastPlayed", SqlDbType.VarChar, 50).Value = s.LastPlayed;
      
                          int rows = cmd.ExecuteNonQuery();
                          sqlcon.Close();
      
                      }
      
                  }
                  catch (Exception ex)
                  {
                      Console.WriteLine("Could not insert. {0}", s.Name);
                      Console.WriteLine("Error Message {0}", ex.Message);
                  }
      
      
              }
          }
      

      【讨论】:

        猜你喜欢
        • 2016-04-27
        • 2023-03-11
        • 1970-01-01
        • 1970-01-01
        • 2012-05-09
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        相关资源
        最近更新 更多