[英]ASP.NET is not sending a command to a SQL server
I have been assigned to create a website for a club at my school at kmhsmc.somee.com . 我被分配在我的学校kmhsmc.somee.com上为一个俱乐部创建一个网站。 I choose ASP for the language and I am having an issue with a sql function.
我选择ASP作为语言,但是sql函数有问题。 If you go to the website above and click on join current liveclub session and fill in a bunch of junk in the textboxes at the top and hit join, it throws a SQL exception.
如果您访问上面的网站并单击“ 加入当前的liveclub会话”,并在顶部的文本框中填写一堆垃圾,然后单击“加入”,则会引发SQL异常。 here is the code:
这是代码:
UName = TextBox1.Text;
CompN = TextBox2.Text;
TMin = TextBox3.Text;
Name = TextBox4.Text;
TextBox1.Visible = false;
TextBox2.Visible = false;
TextBox3.Visible = false;
TextBox4.Visible = false;
string sql = "INSERT INTO table_name values (" + Name + "," + UName + "," + CompN + "," + TMin + "," + "NA" + "," + 0 + ")";
conn.Open();
try
{
SqlCommand cmd = new SqlCommand(sql, conn);
cmd.ExecuteNonQuery();
}
catch
{
Response.Write("<script>alert('SQL error: try again later')</script>");
}
finally
{
conn.Close();
}
And for anyone who asks, I am 110% sure it is not the connection string because it works just fine on the calender page of the site. 对于任何提出要求的人,我都会110%确信它不是连接字符串,因为它在网站的日历页面上可以正常工作。
Here is some other relevant information about this project: 这是有关此项目的其他一些相关信息:
Problem : you are not enclosing the String
types VARCHAR,NVARCHAR
columns inside single quotes
. 问题:您没有将
String
类型VARCHAR,NVARCHAR
列single quotes
在single quotes
。
Solution : you need to enclose the String
types inside single quotes
. 解决方案:您需要将
String
类型括在single quotes
。
Try This: 尝试这个:
sqlCmd.CommandText = "INSERT INTO tablename(name) VALUES('yourname');
Suggestion : You should use Parameterised queries
to avoid SQL injection attacks
. 建议:您应该使用
Parameterised queries
来避免SQL injection attacks
。
Complete Code: using parameterised sql queries
完整代码:使用
parameterised sql queries
string sql = "INSERT INTO table_name values (@Name,@UName,@CompN,@TMin,@value1,@value2)";
conn.Open();
try
{
SqlCommand cmd = new SqlCommand(sql, conn);
cmd.Parameters.AddWithValue("@Name",Name);
cmd.Parameters.AddWithValue("@UName",UName);
cmd.Parameters.AddWithValue("@CompN",CompN);
cmd.Parameters.AddWithValue("@TMin",TMin);
cmd.Parameters.AddWithValue("@value1","NA");
cmd.Parameters.AddWithValue("@value2",0);
cmd.ExecuteNonQuery();
}
your sql string is wrong. 您的sql字符串错误。
UName = TextBox1.Text;
CompN = TextBox2.Text;
TMin = TextBox3.Text;
Name = TextBox4.Text;
TextBox1.Visible = false;
TextBox2.Visible = false;
TextBox3.Visible = false;
TextBox4.Visible = false;
string sql = "INSERT INTO table_name values ('" + Name + "','" + UName + "','" + CompN + "','" + TMin + "','NA', 0 )";
conn.Open();
try
{
SqlCommand cmd = new SqlCommand(sql, conn);
cmd.ExecuteNonQuery();
}
catch
{
Response.Write( "<script>alert( 'SQL error: try again later' )</script>" );
}
finally
{
conn.Close();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.