ASP.NET未将命令发送到SQL Server
[英]ASP.NET is not sending a command to a SQL server
问题描述
I have been assigned to create a website for a club at my school at kmhsmc.somee.com . 
我被分配在我的学校kmhsmc.somee.com上为一个俱乐部创建一个网站。 I choose ASP for the language and I am having an issue with a sql function. 我选择ASP作为语言,但是sql函数有问题。 If you go to the website above and click on join current liveclub session and fill in a bunch of junk in the textboxes at the top and hit join, it throws a SQL exception. 如果您访问上面的网站并单击“ 加入当前的liveclub会话”,并在顶部的文本框中填写一堆垃圾,然后单击“加入”,则会引发SQL异常。 here is the code: 这是代码:
UName = TextBox1.Text;
CompN = TextBox2.Text;
TMin = TextBox3.Text;
Name = TextBox4.Text;
TextBox1.Visible = false;
TextBox2.Visible = false;
TextBox3.Visible = false;
TextBox4.Visible = false;
string sql = "INSERT INTO table_name values (" + Name + "," + UName + "," + CompN + "," + TMin + "," + "NA" + "," + 0 + ")";
conn.Open();
try
{
SqlCommand cmd = new SqlCommand(sql, conn);
cmd.ExecuteNonQuery();
}
catch
{
Response.Write("<script>alert('SQL error: try again later')</script>");
}
finally
{
conn.Close();
}
And for anyone who asks, I am 110% sure it is not the connection string because it works just fine on the calender page of the site. 对于任何提出要求的人,我都会110%确信它不是连接字符串,因为它在网站的日历页面上可以正常工作。
Here is some other relevant information about this project: 这是有关此项目的其他一些相关信息:
- I am doing it in C# and HTML ONLY (CSS and other designing things will be done by someone else later) 我只用C#和HTML来做(CSS和其他设计工作将在以后由其他人完成)
- The server uses SQL server 2012 服务器使用SQL Server 2012
2 个解决方案
解决方案1
5 已采纳 2013-12-21 18:30:52
Problem : you are not enclosing the String types VARCHAR,NVARCHAR columns inside single quotes . 问题:您没有将String类型VARCHAR,NVARCHAR列single quotes在single quotes 。
Solution : you need to enclose the String types inside single quotes . 解决方案:您需要将String类型括在single quotes 。
Try This: 尝试这个:
sqlCmd.CommandText = "INSERT INTO tablename(name) VALUES('yourname');
Suggestion : You should use Parameterised queries to avoid SQL injection attacks . 建议:您应该使用Parameterised queries来避免SQL injection attacks 。
Complete Code: using parameterised sql queries 完整代码:使用parameterised sql queries
string sql = "INSERT INTO table_name values (@Name,@UName,@CompN,@TMin,@value1,@value2)";
conn.Open();
try
{
SqlCommand cmd = new SqlCommand(sql, conn);
cmd.Parameters.AddWithValue("@Name",Name);
cmd.Parameters.AddWithValue("@UName",UName);
cmd.Parameters.AddWithValue("@CompN",CompN);
cmd.Parameters.AddWithValue("@TMin",TMin);
cmd.Parameters.AddWithValue("@value1","NA");
cmd.Parameters.AddWithValue("@value2",0);
cmd.ExecuteNonQuery();
}
解决方案2
0 2013-12-21 18:36:16
your sql string is wrong. 您的sql字符串错误。
UName = TextBox1.Text;
CompN = TextBox2.Text;
TMin = TextBox3.Text;
Name = TextBox4.Text;
TextBox1.Visible = false;
TextBox2.Visible = false;
TextBox3.Visible = false;
TextBox4.Visible = false;
string sql = "INSERT INTO table_name values ('" + Name + "','" + UName + "','" + CompN + "','" + TMin + "','NA', 0 )";
conn.Open();
try
{
SqlCommand cmd = new SqlCommand(sql, conn);
cmd.ExecuteNonQuery();
}
catch
{
Response.Write( "<script>alert( 'SQL error: try again later' )</script>" );
}
finally
{
conn.Close();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.