c#asp.net-将数据插入数据库(不要问我哪里出了问题)
本文关键字:问题 数据 net- 插入 数据库 c#asp | 更新日期: 2023-09-27 17:57:26
c#asp.net-将数据插入数据库(不要在哪里出错)-这段代码正在执行,但根本不起作用!我试图通过我创建的网站提供数据,但它根本不会反映在我的数据库中!!!!
using System;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.Data.SqlClient;
public partial class _Default : System.Web.UI.Page
{
SqlConnection con = new SqlConnection("Data Source=GARGI-PC''ROOT;Initial Catalog=master;Integrated Security=True");
protected void page_load(object sender, EventArgs e)
{}
public void refress()
{
comment1.Text = "";
software1.Checked = true;
hardware1.Checked = false;
both1.Checked = false;
others.Checked = false;
}
protected void btn(object sender, EventArgs e)
{
string type = string.Empty ;
if (hardware1.Checked == true)
{
type = "hardware";
}
if (software1.Checked == true)
{
type = "software";
}
if (both1.Checked == true)
{
type = "both";
}
if (others.Checked == true)
{
type = "others";
}
SqlCommand cmd = new SqlCommand("insert into main_page (type, discription,time) values('" + type + "','" + comment1.Text + "','" + "','"+"now()')", con);
cmd.CommandType = CommandType.Text;
try
{
con.Open();
cmd.ExecuteNonQuery();
con.Close();
refress();
}
catch (Exception ex)
{
}
}
public void btn_clear(object sender, EventArgs e)
{
refress();
}
}
看起来INSERT语句中有一个双逗号。
+ "','" + "','"
INSERT语句应该看起来像:
INSERT INTO main_page (type, description, time) VALUES ('Type', 'Description', NOW())
此外,您还容易受到SQL注入的攻击,您应该对所有输入的查询进行参数化,而不是信任来自用户的数据。作为一个基本示例:
MySqlCommand command = new MySqlCommand("INSERT INTO main_page (Description) VALUES @Description");
command.Parameters.AddWithValue("@Description", comment1.Text);
如果用户在Comment1文本框中输入SQL语句,这将保护您。
ArbitaryData; DROP TABLE main_page;
您确实应该使用命令参数。这里,举个例子:
public static void AddSong(Songs s)
{
using (SqlConnection sqlcon = new SqlConnection(SQL_getConnectionString.conStr()))
{
sqlcon.Open();
try
{
string query = "INSERT INTO Songs VALUES(@Id, @Name, @Artist, @Album, @TrackNumber, @TrackNumberCount, " +
"@Genre, @Rating, @Tags, @Subject, @Categories, @Comments, @FileName, @FolderName, @FolderPath, " +
"@FullPath, @Length, @PlayCount, @SkipCount, @LastPlayed)";
using (SqlCommand cmd = new SqlCommand(query, sqlcon))
{
cmd.Parameters.Add("@Id", SqlDbType.Int).Value = s.Id;
cmd.Parameters.Add("@Name", SqlDbType.VarChar, 250).Value = s.Name;
cmd.Parameters.Add("@Album", SqlDbType.VarChar, 250).Value = s.Album;
cmd.Parameters.Add("@Artist", SqlDbType.VarChar, 250).Value = s.Artist;
cmd.Parameters.Add("@TrackNumber", SqlDbType.Int).Value = s.TrackNumber;
cmd.Parameters.Add("@TrackNumberCount", SqlDbType.Int).Value = s.TrackNumberCount;
cmd.Parameters.Add("@Genre", SqlDbType.VarChar, 500).Value = s.Genre;
cmd.Parameters.Add("@Rating", SqlDbType.Int).Value = s.Rating;
cmd.Parameters.Add("@Tags", SqlDbType.VarChar, 500).Value = s.Tags;
cmd.Parameters.Add("@Subject", SqlDbType.VarChar, 500).Value = s.Subject;
cmd.Parameters.Add("@Categories", SqlDbType.VarChar, 500).Value = s.Categories;
cmd.Parameters.Add("@Comments", SqlDbType.VarChar, -1).Value = s.Comments;
cmd.Parameters.Add("@FileName", SqlDbType.VarChar, 500).Value = s.FileName;
cmd.Parameters.Add("@FolderName", SqlDbType.VarChar, 500).Value = s.FolderName;
cmd.Parameters.Add("@FolderPath", SqlDbType.VarChar, -1).Value = s.FolderPath;
cmd.Parameters.Add("@FullPath", SqlDbType.VarChar, -1).Value = s.FullPath;
cmd.Parameters.Add("@Length", SqlDbType.VarChar, 50).Value = s.Length;
cmd.Parameters.Add("@PlayCount", SqlDbType.Int).Value = s.PlayCount;
cmd.Parameters.Add("@SkipCount", SqlDbType.Int).Value = s.SkipCount;
cmd.Parameters.Add("@LastPlayed", SqlDbType.VarChar, 50).Value = s.LastPlayed;
int rows = cmd.ExecuteNonQuery();
sqlcon.Close();
}
}
catch (Exception ex)
{
Console.WriteLine("Could not insert. {0}", s.Name);
Console.WriteLine("Error Message {0}", ex.Message);
}
}
}