正在使用不工作的会话更新数据库C#SQL
本文关键字:会话 更新 数据库 C#SQL 工作 | 更新日期: 2023-09-27 18:22:43
因此,我的代码会显示搜索到的讲师的userID和用户之前选择的ModuleID。然而,它在这条线上断裂了;
myCommand.ExecuteNonQuery();
错误为;
An exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll but was not handled in user code
Additional information: Incorrect syntax near '('.
我不知道它为什么会这样,但我可以看到,当我使用断点时,我的东西被拉过了。
前端代码:
<asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:DefaultConnection %>"
SelectCommand="SELECT Lecturer_Records.UserID, Lecturer_Records.FirstName, Lecturer_Records.Surname, Lecturer_Records.PhoneNumber, Users.Email
FROM Lecturer_Records
INNER JOIN Users ON Lecturer_Records.UserID = Users.UserID
WHERE (Users.Email = @email)">
<SelectParameters>
<asp:QueryStringParameter Name="email" QueryStringField="searchlects" />
<asp:SessionParameter Name="ModuleID" SessionField="ModuleID" Type="Int32" />
</SelectParameters>
</asp:SqlDataSource>
<asp:GridView ID="SearchResult" runat="server" AutoGenerateColumns="False" AutoGenerateSelectButton="True" DataSourceID="SqlDataSource1" OnSelectedIndexChanged="SearchResult_SelectedIndexChanged">
<Columns>
<asp:BoundField DataField="UserID" HeaderText="UserID" SortExpression="UserID" />
<asp:BoundField DataField="FirstName" HeaderText="FirstName" SortExpression="FirstName" />
<asp:BoundField DataField="Surname" HeaderText="Surname" SortExpression="Surname" />
<asp:BoundField DataField="PhoneNumber" HeaderText="PhoneNumber" SortExpression="PhoneNumber" />
<asp:BoundField DataField="Email" HeaderText="Email" SortExpression="Email" />
</Columns>
</asp:GridView>
还有我的C#代码
protected void SearchResult_SelectedIndexChanged(object sender, EventArgs e)
{
// open new connection
SqlConnection connection1 = new SqlConnection(ConfigurationManager.ConnectionStrings["DefaultConnection"].ConnectionString);
connection1.Open();
string SearchUser = SearchResult.SelectedRow.Cells[1].Text;
string Module = (string)Session["ModuleID"];
SqlCommand myCommand = new SqlCommand("UPDATE [Modules] SET (UserID = '" + SearchUser + "') WHERE (ModuleID = '" + Module + "')", connection1);
myCommand.ExecuteNonQuery();
// move on to home page
Response.Redirect("APMDefault.aspx");
}
您的命令中不需要任何(或)。它们破坏了sql语法。只需删除它们。
但更重要的是,您应该始终使用参数化查询。这种字符串串联对SQL注入攻击是开放的。
根据您的列名,它们似乎是一种数字类型。这意味着,您可能还需要删除单引号。如果你使用事先准备好的陈述,你当然就不需要了。
并使用using语句来处理您的连接和命令。
using(var connection1 = new SqlConnection(ConfigurationManager.ConnectionStrings["DefaultConnection"].ConnectionString))
using(var myCommand = connection1.CreateCommand())
{
myCommand.CommandText = @"UPDATE Modules SET UserID = @userid
WHERE ModuleID = @moduleid";
myCommand.Parameters.Add("@userid", SqlDbType.NVarChar).Value = SearchUser;
myCommand.Parameters.Add("@moduleid", SqlDbType.NVarChar).Value = Module;
// I assumed your column types are nvarchar
connection1.Open();
myCommand.ExecutenonQuery();
// move on to home page
Response.Redirect("APMDefault.aspx");
}
但实际上,这些列似乎是数字类型。您可以更改其类型,也可以更改将其类型指向字符的名称。