C#asp.net-将数据插入数据库(不要在IAM出错的地方知道)
[英]c# asp.net - inserting data into database( dont knw where iam goin wrong)
问题描述
c# asp.net - inserting data into database( dont knw where iam goin wrong) - this code is executing but not working at all ! 
c#asp.net-将数据插入数据库(不要在iam出错的地方出错)-该代码正在执行,但根本不起作用! i tried to feed data through the website i created but it wont reflect it in my database at all plz help !!!! 我试图通过我创建的网站提供数据,但是在所有plz帮助下它都不会反映在我的数据库中!
using System;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.Data.SqlClient;
public partial class _Default : System.Web.UI.Page
{
SqlConnection con = new SqlConnection("Data Source=GARGI-PC\\ROOT;Initial Catalog=master;Integrated Security=True");
protected void page_load(object sender, EventArgs e)
{}
public void refress()
{
comment1.Text = "";
software1.Checked = true;
hardware1.Checked = false;
both1.Checked = false;
others.Checked = false;
}
protected void btn(object sender, EventArgs e)
{
string type = string.Empty ;
if (hardware1.Checked == true)
{
type = "hardware";
}
if (software1.Checked == true)
{
type = "software";
}
if (both1.Checked == true)
{
type = "both";
}
if (others.Checked == true)
{
type = "others";
}
SqlCommand cmd = new SqlCommand("insert into main_page (type, discription,time) values('" + type + "','" + comment1.Text + "','" + "','"+"now()')", con);
cmd.CommandType = CommandType.Text;
try
{
con.Open();
cmd.ExecuteNonQuery();
con.Close();
refress();
}
catch (Exception ex)
{
}
}
public void btn_clear(object sender, EventArgs e)
{
refress();
}
}
2 个解决方案
解决方案1
3 2016-07-17 19:45:29
Looks like you have a double comma in your INSERT statement. 看起来您的INSERT语句中有一个逗号。
+ "','" + "','"
The INSERT statement should look like: INSERT语句应类似于:
INSERT INTO main_page (type, description, time) VALUES ('Type', 'Description', NOW())
Also you are vulnerable to SQL injection, you should paramerterize your queries for all of your inputs rather than trusting the data from your users. 另外,您容易受到SQL注入的攻击,您应该对所有输入的查询进行参数化处理,而不要信任用户的数据。 As a basic example: 作为一个基本示例:
MySqlCommand command = new MySqlCommand("INSERT INTO main_page (Description) VALUES @Description");
command.Parameters.AddWithValue("@Description", comment1.Text);
This would protect you if a user entered a SQL statement within the Comment1 textbox. 如果用户在Comment1文本框中输入了一条SQL语句,这将为您提供保护。
ArbitaryData; DROP TABLE main_page;
解决方案2
1 2016-07-17 19:52:44
You really should use the command parameters. 您确实应该使用命令参数。 Here, try this as an example: 在这里,以这个为例:
public static void AddSong(Songs s)
{
using (SqlConnection sqlcon = new SqlConnection(SQL_getConnectionString.conStr()))
{
sqlcon.Open();
try
{
string query = "INSERT INTO Songs VALUES(@Id, @Name, @Artist, @Album, @TrackNumber, @TrackNumberCount, " +
"@Genre, @Rating, @Tags, @Subject, @Categories, @Comments, @FileName, @FolderName, @FolderPath, " +
"@FullPath, @Length, @PlayCount, @SkipCount, @LastPlayed)";
using (SqlCommand cmd = new SqlCommand(query, sqlcon))
{
cmd.Parameters.Add("@Id", SqlDbType.Int).Value = s.Id;
cmd.Parameters.Add("@Name", SqlDbType.VarChar, 250).Value = s.Name;
cmd.Parameters.Add("@Album", SqlDbType.VarChar, 250).Value = s.Album;
cmd.Parameters.Add("@Artist", SqlDbType.VarChar, 250).Value = s.Artist;
cmd.Parameters.Add("@TrackNumber", SqlDbType.Int).Value = s.TrackNumber;
cmd.Parameters.Add("@TrackNumberCount", SqlDbType.Int).Value = s.TrackNumberCount;
cmd.Parameters.Add("@Genre", SqlDbType.VarChar, 500).Value = s.Genre;
cmd.Parameters.Add("@Rating", SqlDbType.Int).Value = s.Rating;
cmd.Parameters.Add("@Tags", SqlDbType.VarChar, 500).Value = s.Tags;
cmd.Parameters.Add("@Subject", SqlDbType.VarChar, 500).Value = s.Subject;
cmd.Parameters.Add("@Categories", SqlDbType.VarChar, 500).Value = s.Categories;
cmd.Parameters.Add("@Comments", SqlDbType.VarChar, -1).Value = s.Comments;
cmd.Parameters.Add("@FileName", SqlDbType.VarChar, 500).Value = s.FileName;
cmd.Parameters.Add("@FolderName", SqlDbType.VarChar, 500).Value = s.FolderName;
cmd.Parameters.Add("@FolderPath", SqlDbType.VarChar, -1).Value = s.FolderPath;
cmd.Parameters.Add("@FullPath", SqlDbType.VarChar, -1).Value = s.FullPath;
cmd.Parameters.Add("@Length", SqlDbType.VarChar, 50).Value = s.Length;
cmd.Parameters.Add("@PlayCount", SqlDbType.Int).Value = s.PlayCount;
cmd.Parameters.Add("@SkipCount", SqlDbType.Int).Value = s.SkipCount;
cmd.Parameters.Add("@LastPlayed", SqlDbType.VarChar, 50).Value = s.LastPlayed;
int rows = cmd.ExecuteNonQuery();
sqlcon.Close();
}
}
catch (Exception ex)
{
Console.WriteLine("Could not insert. {0}", s.Name);
Console.WriteLine("Error Message {0}", ex.Message);
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
在ASP.NET C#中将数据插入SQL Server数据库 - Inserting data to SQL Server database in asp.net c#
使用asp.net C#将数据插入数据库 - inserting data into database using asp.net c#
Asp.net表单将数据插入数据库中的错误字段 - Asp.net Form Inserting Data into Wrong Fields in Database
不使用ASP.NET(C#)插入数据库(MySQL) - Not inserting into DataBase(MySQL) using ASP.NET (C#)
C#-ASP.NET-将日历中的日期插入数据库 - C# - ASP.NET - Inserting Date from a calendar into a DataBase
通过C#和Asp.net将DateTime插入Acess数据库 - Inserting DateTime into Acess Database via C# and Asp.net
asp.net c#数据到数据库 - asp.net c# data to a database
使用c#Asp.NET插入数据库后,在表中显示插入的数据 - Display inserted data in a table after inserting into Database using c# Asp.NET
使用C#将动态数据插入asp.net中的sql服务器 - inserting dynamic data into a sql server in asp.net with C#
使用 asp.net 和 C# 将数据插入 gridview - Inserting data into gridview using asp.net and C#
相关标签