[英]Inserting into table from a form in asp.net
我有一個頁面,您可以在其中填充一些信息,並根據該信息在數據庫中插入新行。 這是填寫的表單的屏幕截圖:
這是我單擊提交按鈕時要插入數據庫的代碼:
protected void CreateCourseButton_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection();
con.ConnectionString = "Data Source=.\\SQLEXPRESS;Initial Catalog=University;Integrated Security=True;Pooling=False";
string query1 = "insert into Courses(CRN,CourseName,StudyLevel,Capacity,Instructor,Credits,Prerequisite) values ("
+ courseID.Text + "," + courseName.Text + "," + studyLevel.SelectedValue + "," + capacity.Text + "," + "Admin," + credits.Text + "," + prereq.Text + ")";
SqlCommand cmd1 = new SqlCommand(query1, con);
con.Open();
cmd1.ExecuteNonQuery();
con.Close();
}
問題是,單擊提交時出現以下錯誤:
Server Error in '/Bannerweb' Application.
Incorrect syntax near the keyword 'to'.
Description: An unhandled exception occurred during the execution of the current web
request. Please review the stack trace for more information about the error and where
it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Incorrect syntax near the
keyword 'to'.
Source Error:
Line 32: SqlCommand cmd1 = new SqlCommand(query1, con);
Line 33: con.Open();
Line 34: cmd1.ExecuteNonQuery();
Line 35: con.Close();
Line 36: }
Source File: c:\Banner\Bannerweb\Pages\CreateCourse.aspx.cs Line: 34
Stack Trace:
[SqlException (0x80131904): Incorrect syntax near the keyword 'to'.]
System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean
breakConnection) +2084930
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean
breakConnection) +5084668
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning() +234
System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler,
SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject
stateObj) +2275
System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean
async) +228
System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result,
String methodName, Boolean sendToPipe) +326
System.Data.SqlClient.SqlCommand.ExecuteNonQuery() +137
CreateCourse.CreateCourseButton_Click(Object sender, EventArgs e) in
c:\Banner\Bannerweb\Pages\CreateCourse.aspx.cs:34
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +118
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +112
第34行是:
cmd1.ExecuteNonQuery();
誰能幫我解決這個錯誤?
謝謝
發生此錯誤是因為您在插入的值之間缺少“”。 無論如何,最好的方法是像這樣使用Parameters
集合:
string query1 = "insert into Courses(CRN,CourseName,StudyLevel,Capacity,Instructor,Credits,Prerequisite) values (@crn, @cursename, @studylevel, @capacity, @instructor, @credits, @prerequesite)";
SqlCommand cmd1 = new SqlCommand(query1, con);
cmd1.Parameters.AddWithValue("@crn", courseID.Text);
//add the rest
con.Open();
cmd1.ExecuteNonQuery();
con.Close();
看來您需要在Course Name
周圍添加引號。 還請使用SQL parameterized queries
這樣您就不會受到SQL Injection
攻擊。
'" + courseName.Text + "'
將評估為:
'Intro to comp'
http://johnhforrest.com/2010/10/parameterized-sql-queries-in-c/
你必須通過所有的控制內部的價值'
更新您的SQL查詢是這樣的:
string query1 = "insert into
Courses(CRN,CourseName,StudyLevel,Capacity,Instructor,Credits,Prerequisite) values ("+
"'" + courseID.Text + "'" + "," + "'" + courseName.Text + "'" + "," +
"'" + studyLevel.SelectedValue + "'" + "," + "'" + capacity.Text + "'" +
"," + "'Admin'," + "'" + credits.Text + "'" + "," + "'"+prereq.Text +"'" + ")";
//返回受查詢影響的行數
int a= cmd1.ExecuteNonQuery();
if(a>0)
{
//inserted
}
else
{
//not inserted
}
在此處查看更多詳情。
此錯誤可能來自“ Course name
字段,該字段中的值中有空格。 要解決此問題,您可以將TextBoxes
的值包裝到'
char中。
但是,這是一個巨大的安全漏洞。 如今,您必須使用參數,例如插入內容必須類似於:
SqlConnection con = new SqlConnection();
con.ConnectionString = "...";
string query1 = "insert into Courses(CRN,CourseName,StudyLevel,Capacity,Instructor,Credits,Prerequisite)"+
" values (@CRN, @CourseName, ...)";
SqlCommand cmd1 = new SqlCommand(query1, con);
// Insert parameters
cmd1.Parameters.AddWithValue("@CRN",courseID.Text);
...
con.Open();
cmd1.ExecuteNonQuery();
con.Close();
您必須使用參數來保護自己免受SQL注入攻擊。
嘗試這個
string query1 = "insert into Courses(CRN,CourseName,StudyLevel,Capacity,Instructor,Credits,Prerequisite)
values ('"+ courseID.Text +"','"+ courseName.Text + "','" + studyLevel.SelectedValue +"', '" + capacity.Text +"','" + "Admin" +"','"+credits.Text + "','" + prereq.Text +"') ";
您的查詢語法完全錯誤。
像這樣修改您的Insert
查詢
string query1 = "insert into Courses(CRN,CourseName,StudyLevel,Capacity,Instructor,Credits,Prerequisite) values ("
+ courseID.Text + ",'" + courseName.Text + "'," + studyLevel.SelectedValue + "," + capacity.Text + "," + "Admin," + credits.Text + "," + prereq.Text + ")";
第二個問題
如果已保存,則ExecuteNonQuery
將返回1
否則為0
,因此,使用return的值,您可以檢查並應用條件。
希望你能理解。
protected void Button1_Click(object sender, EventArgs e)
{
SqlConnection conn = new SqlConnection("Data Source=D1-0221-37-393\\SQLEXPRESS;Initial Catalog=RSBY;User ID=sa;Password=BMW@721");
conn.Open();
string EmployeeId = Convert.ToString(TextBox1.Text);
string EmployeeName = Convert.ToString(TextBox2.Text);
string EmployeeDepartment = Convert.ToString(DropDownList1.SelectedValue);
string EmployeeDesignation = Convert.ToString(DropDownList2.SelectedValue);
string DOB = Convert.ToString(TextBox3.Text);
string DOJ = Convert.ToString(TextBox4.Text);
SqlCommand cmd = new SqlCommand("insert into Employeemaster values('" + EmployeeId + "','" + EmployeeName + "','" + EmployeeDepartment + "','" + EmployeeDesignation + "','" + DOB + "','" + DOJ + "')", conn);
cmd.ExecuteNonQuery();
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.