The method of my code is as below:
protected void AddBtn_Click1(object sender, EventArgs e)
{
string text1 = TextBox1.Text;
string text2 = TextBox2.Text;
string text3 = TextBox3.Text;
string text4 = TextBox4.Text;
string text5 = TextBox5.Text;
string text6 = TextBox6.Text;
string text7 = TextBox7.Text;
string text8 = TextBox8.Text;
string text9 = TextBox9.Text;
if (pnAvailiable == 1)
{
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["XMLConnectionString"].ConnectionString);
con.Open();
string str = "INSERT INTO XML (Part_Number, PowerMin_dBm_RoomTemp, PowerMax_dBm_RoomTemp, ERMin_dB_RoomTemp, ERMax_dB_RoomTemp, OMAMin_uW_RoomTemp, OMAMax_uW_RoomTemp, ModPowerConsumptionMin_W_RoomTemp, ModPowerConsumptionMax_W_RoomTemp) VALUES (" + text1 + "," + text2 + "," + text3 + "," + text4 + "," + text5 + "," + text6 + "," + text7 + "," + text8 + "," + text9 + ")";
SqlCommand cmd = new SqlCommand(str, con);
cmd.ExecuteNonQuery();
con.Close();
Response.Redirect(Request.RawUrl);
}
}
My database's data type is define as text
The problem is:
Actually, I just want to type in string and put string into the database.
Please help me figure out the problem. Please indicate which problem you are
protected void AddBtn_Click1(object sender, EventArgs e)
{
string text1 = TextBox1.Text;
string text2 = TextBox2.Text;
string text3 = TextBox3.Text;
string text4 = TextBox4.Text;
string text5 = TextBox5.Text;
string text6 = TextBox6.Text;
string text7 = TextBox7.Text;
string text8 = TextBox8.Text;
string text9 = TextBox9.Text;
if (pnAvailiable == 1)
{
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["XMLConnectionString"].ConnectionString);
con.Open();
string str = "INSERT INTO XML (Part_Number, PowerMin_dBm_RoomTemp, PowerMax_dBm_RoomTemp, ERMin_dB_RoomTemp, ERMax_dB_RoomTemp, OMAMin_uW_RoomTemp, OMAMax_uW_RoomTemp, ModPowerConsumptionMin_W_RoomTemp, ModPowerConsumptionMax_W_RoomTemp) VALUES (@text1,@text2,@text3,@text4,@text5,@text6,@text7,@text8,@text9)";
SqlCommand cmd = new SqlCommand(str, con);
cmd.Parameters.AddWithValue("@text1", text1);
cmd.Parameters.AddWithValue("@text2", text2);
cmd.Parameters.AddWithValue("@text3", text3);
cmd.Parameters.AddWithValue("@text4", text4);
cmd.Parameters.AddWithValue("@text5", text5);
cmd.Parameters.AddWithValue("@text6", text6);
cmd.Parameters.AddWithValue("@text7", text7);
cmd.Parameters.AddWithValue("@text8", text8);
cmd.Parameters.AddWithValue("@text9", text9);
cmd.ExecuteNonQuery();
con.Close();
Response.Redirect(Request.RawUrl);
}
}
I suggest you to use Sql Parameter instead of just join a string. Like
SqlCommand timeSlotCmd = new SqlCommand("delete from xxxxxx where LeagueId=@LeagueId", conn, tran);
command.Parameters.Add("@LeagueId", leagueIdValue);
timeSlotCmd.ExecuteNonQuery();
Since you are not surrounding the values in single quotes, it is subtracting 1 from 6 when it encounters 6-1
. This unexpected behavior is a symptom of a serious security vulnerability that you have in your code. You should spend some time getting familiar with SQL Injection vulnerabilities (currently #1 on the OWASP top 10 list).
Luckily for you, the correct solution will take care of both the error you have encountered as well as the SQL Injection vulnerability.
To fix both problems look into using parameterized queries . Using a parameterized query you can specify the data type of each parameter (while also preventing malicious code injection). For example:
INSERT INTO XML (Part_Number, ......) VALUES (" + text1 + " ...
Would become
INSERT INTO XML (Part_Number, ......) VALUES (@PartNumber ...
This is also much easier to read IMHO. You will need to add the parameter(s) to the SqlCommand object:
SqlParameter PartNumber = new SqlParameter("@PartNumber", SqlDbType.VarChar);
PartNumber.Value = "whatever...";
cmd.Parameters.Add(PartNumber);
Hope this helps!
May be you have to add parameters.
string str = "INSERT INTO XML (Part_Number, ...) VALUES (:text1, ...)";
SqlCommand cmd = new SqlCommand(str, con);
cmd.AddParam(":text1", DbType.Int, 1, ParameterDirection.Input);
.....
cmd.ExecuteNonQuery();
con.Close();
Response.Redirect(Request.RawUrl);
change
string str = "INSERT INTO XML (Part_Number, PowerMin_dBm_RoomTemp, PowerMax_dBm_RoomTemp, ERMin_dB_RoomTemp, ERMax_dB_RoomTemp, OMAMin_uW_RoomTemp, OMAMax_uW_RoomTemp, ModPowerConsumptionMin_W_RoomTemp, ModPowerConsumptionMax_W_RoomTemp) VALUES (" + text1 + "," + text2 + "," + text3 + "," + text4 + "," + text5 + "," + text6 + "," + text7 + "," + text8 + "," + text9 + ")";
into following
"INSERT INTO XML (Part_Number, PowerMin_dBm_RoomTemp, PowerMax_dBm_RoomTemp, ERMin_dB_RoomTemp, ERMax_dB_RoomTemp, OMAMin_uW_RoomTemp, OMAMax_uW_RoomTemp, ModPowerConsumptionMin_W_RoomTemp, ModPowerConsumptionMax_W_RoomTemp) VALUES ('" + text1 + "','" + text2 + "','" + text3 + "','" + text4 + "','" + text5 + "','" + text6 + "','" + text7 + "','" + text8 + "','" + text9 + "')";
您的查询不正确,应将varchar插入单个代码(“行的值”)中
string str = "INSERT INTO XML (Part_Number, PowerMin_dBm_RoomTemp, PowerMax_dBm_RoomTemp, ERMin_dB_RoomTemp, ERMax_dB_RoomTemp, OMAMin_uW_RoomTemp, OMAMax_uW_RoomTemp, ModPowerConsumptionMin_W_RoomTemp, ModPowerConsumptionMax_W_RoomTemp) VALUES ('" + text1 + "','" + text2 + "','" + text3 + "','" + text4 + "','" + text5 + "','" + text6 + "','" + text7 + "','" + text8 + "','" + text9 + "')";
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.