简单的SQL查询不起作用
[英]Simple sql query not working
问题描述
I tried to insert some data into my database (sql server/local file) but it doesn't work. 
我试图将一些数据插入数据库(SQL Server /本地文件),但不起作用。
public bool SaveCookie(string cookie, string expires)
{
SimpleDBM db = new SimpleDBM();
db.Connect();
try
{
string query = string.Format("INSERT INTO Cookies(cookie_value, cookie_expires) VALUES('{0}', '{1}');", cookie, expires);
SqlCommand cmd = new SqlCommand();
cmd.CommandText = query;
//...
SqlDataReader data = db.Query(ref cmd);
return data.Read();
}
catch
{
return false;
}
finally
{
db.Close();
}
}
The SimpleDBM class: SimpleDBM类:
public class SimpleDBM {
public static string dbpath = @"...";
public static string dbname = "db.mdf";
public static string dfullPath = Path.Combine(dbpath, dbname);
public static string connStr = string.Format(@"Data Source=.\SQLEXPRESS;AttachDbFilename={0};Integrated Security=True;Connect Timeout=30;User Instance=True", dfullPath);
private SqlConnection con;
public void Connect()
{
con = new SqlConnection();
con.ConnectionString = connStr;
con.Open();
}
public SqlDataReader Query(ref SqlCommand cmd)
{
cmd.Connection = con;
return cmd.ExecuteReader();
}
public void Close()
{
con.Close();
}
}
Can someone point out my mistake? 有人可以指出我的错误吗? For other queries it seems to work fine. 对于其他查询,它似乎工作正常。
Thanks in advance. 提前致谢。
2 个解决方案
解决方案1
5 已采纳 2011-10-20 23:13:39
The problem seems to be that you're trying to execute a query that doesn't return a result set using the ExecuteReader method of the SqlCommand class which will attempt to execute your query and create and return a DataReader for an eventual result set. 问题似乎是您正在尝试使用SqlCommand类的ExecuteReader方法执行不返回结果集的查询,该方法将尝试执行查询并为最终结果集创建并返回DataReader。
You should use ExecuteNonQuery for INSERT and UPDATE sql statements. 您应该对INSERT和UPDATE sql语句使用ExecuteNonQuery 。
SIDE NOTE 边注
Not that it's the reason you're getting the error but you should also consider using SqlParamters instead of composing the values into the INSERT statement. 并非这是导致错误的原因,但是您还应该考虑使用SqlParamters而不是将值组成INSERT语句。 Using prepared SQL statements generally gives a performance enhancement and also helps prevent SQL injection attacks. 使用准备好的SQL语句通常可以提高性能,还有助于防止SQL注入攻击。
For an example of using prepared statements, see the MSDN page or the Prepare method. 有关使用准备好的语句的示例,请参见MSDN页面或Prepare方法。
解决方案2
3 2011-10-20 23:15:36
You are using a ExecuteReader when you should be using ExecuteNonQuery. 当您应该使用ExecuteNonQuery时,您正在使用ExecuteReader。
Not related to your error you really should not be using String.Format with SqlCommand. 与您的错误无关,您实际上不应该将String.Format与SqlCommand一起使用。 What you should do is 你应该做的是
string query = "INSERT INTO Cookies(cookie_value, cookie_expires) VALUES(@cookie, @expires);", cookie, expires);
SqlCommand cmd = new SqlCommand();
cmd.Parameters.AddWithValue("@cookie", cookie);
cmd.Parameters.AddWithValue("@expires", expires);
cmd.CommandText = query;
With your method ask your self if someone passed a cookie of ' ''); Drop table Cookies -- 用你的方法问问自己,是否有人传递了' ''); Drop table Cookies -- cookie ' ''); Drop table Cookies -- ' ''); Drop table Cookies -- ? ' ''); Drop table Cookies -- ? This is called a "Sql Injection Attack" and is one of the top 5 reasons websites get hacked. 这称为“ Sql注入攻击”,是网站被黑客入侵的5大原因之一。
EDIT 编辑
Just to help give another example of why using String.Format to pass values you did not generate is bad. 只是为了帮助给出另一个示例,说明为什么使用String.Format传递未生成的值是不好的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.