需要帮助session()提交 [英] Need help with session( ) submission
问题描述
在我的论坛上,我试图通过正确的工作来发布。我尝试将Session(member)=空白并且我收到错误,所以我添加了一个假名,现在它提交了帖子。
I不要那样。我希望它通过MemberName读取哪个成员发布。
(0)(0)错误是因为当一个成员注册时他们假设得到1点,我发现它没有给出那一点。原因是它将新成员填充到点表中。我解决了这个问题,并且(0)(0)错误消失了。
然而我原来的问题是我试图找到一个代码示例或者有人可以告诉我为什么我必须在:Session(member)=(不发布)Session(member)=假名(发布为假名)中有我的名字或名字(假)。我需要它根据发布的成员发布MemberName。
db TABLE问题示例
第1栏:memQuestion(标题)为什么植物变绿?
第2栏:qPostedBymem(标题)Charles Smith(会员名字段)
第3栏:qAnswer(标题)因为植物看不到颜色为绿色
第4栏:qAnswerBymem(标题)假名(会员名称)
第5栏: qAnswerDate(标题)09/03/20017
第4列是问题所在。伪名称不会出现在数据库的成员表中。这种关系已经确定。该死的东西对我这样的人我没有看到答案。
我尝试过的事情:
受保护的Sub Button1_Click(ByVal sender As Object,ByVal e As System.EventArgs)处理Button1.Click
If Button1.Text =Ask QuestionThen
如果TextBox1.Text<> 然后
For each s As String in invalid
If TextBox1.Text.ToLower.Contains(s)= True然后
errMessage.Text = Server.HtmlEncode(不能包含< h1> ;,<脚本>,< input>,< a>等标签)
退出Sub
结束如果
下一个
con =新OleDbConnection(Provider = Microsoft .Jet.Oledb.4.0; data source =& Server.MapPath(app_data / SimpleQSet.mdb)&;)
com.Connection = con
Session( member)=
Dim run As New Random
Dim qid As String = ran.Next(0,TextBox1.Text.Length)
com.CommandText =insert into QuestionList values ('+ qid +','+ TextBox1.Text +','+ DropDownList1.SelectedValue +','+ DateTime.Now.ToLongDateString()+','+ Session(成员)+')
con.Open()
com.ExecuteNonQuery()
Dim pointCnt As New DataTable
pointDs = New OleDbDataAdapter(Points [points] from Points ='+ Session(member)+',con)
pointDs.Fill(pointCnt) )
Dim pnt As Integer = pointCnt.Rows(0)(0)+ 1
com.CommandText =update points set [points] ='& pnt& 'where member ='&会话(会员)& '
com.ExecuteNonQuery()
con.Close()
否则
errMessage.Text =问题不能为空
结束如果
否则
Response.Redirect(default.aspx)
结束如果
结束次级
问题是你没有检查你的选择是否有答案,使用调试器来检查错误位置的变量。
问题是你没有检查pointCnt中是否有东西,这是一个坏习惯。 />
pointCnt中没有任何内容,因为你从不尝试在其中添加内容。
实际上,你的SQL命令被执行了在pointDs。
在调试器的帮助下,您可以在故障点检查变量,这通常有助于理解发生了什么错误。
-----
有一个工具可以让你去你的代码在做什么,它的名字是调试器。它也是一个很好的学习工具,因为它向你展示了现实,你可以看到哪种期望与现实相符。
当你不明白你的代码在做什么或为什么它做它做的时候,答案就是答案是调试器。
使用调试器查看代码正在执行的操作。只需设置断点并查看代码执行情况,调试器允许您逐行执行第1行并在执行时检查变量。
调试器 - 维基百科,免费的百科全书 [ ^ ]
Visual Basic / Visual Studio视频教程 - 基本调试 - YouTube [ ^ ]
初学者的Visual Basic .NET编程 - 断点和调试工具 [ ^ ]
调试器在这里向您展示您的代码正在做什么,您的任务是与它应该做什么进行比较。
调试器中没有魔法,它没有发现错误,它只是帮助你。当代码没有达到预期效果时,你就接近了一个错误。
-----
不是你问题的解决方案,但另一个问题你有。
永远不要通过连接字符串来构建SQL查询。迟早,您将使用用户输入来执行此操作,这会打开一个名为SQL注入的漏洞,这对您的数据库很容易并且容易出错。
名称中的单引号你的程序崩溃。如果用户输入像Brian O'Conner这样的名称可能会使您的应用程序崩溃,那么这是一个SQL注入漏洞,崩溃是最少的问题,恶意用户输入,并且它被提升为具有所有凭据的SQL命令。
SQL注入 - 维基百科 [ ^ ]
SQL注入 [ ^ ]
按示例进行SQL注入攻击 [ ^ ]
PHP:SQL注入 - 手册 [ ^ ]
SQL注入预防备忘单 - OWASP [ ^ ]
您的代码中包含以下内容:
Dim pointCnt 作为 新 DataTable
下一个你引用的时间pointCnt变量在这里:
Dim pnt 作为 整数 = pointCnt.Rows( 0 )( 0 )+ 1
当然它会失败,没有配置数据表,你只将其配置为空。
On my forum I am trying to get the posted by working correctly. I tried having the Session("member") = "" blank and I was getting an error so I added a fake name and now it submits the post.
I don't want that. I want it to read which member is posting by their "MemberName".
The (0)(0) error was because when a member registers they are suppose to get 1 point, and I found it was not giving that point. The reason for that is it populates the new member into the points table. I fixed that and the (0)(0) error went away.
However my original problem I was trying to find a code sample or if someone could show me why I have to have my name or a name (fake) in the: Session("member") = "" (does not publish) Session("member") = "fake name" , (publishes as fake name). I need it to publish the "MemberName" based on the member doing the publishing.
Example of db TABLE Question
Column 1: memQuestion (header) Why does the plant grow green?
Column 2: qPostedBymem (header) Charles Smith (MemberName field)
Column 3: qAnswer (header) Because plants don't see the color green
Column 4: qAnswerBymem (header) fake name (MemberName)
Column 5: qAnswerDate (header) 09/03/20017
Column 4 is the problem. Fake name does not appear in the "Member" table in the database. The relationship is set. Damn thing for the likes of me I don't see an answer.
What I have tried:
Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
If Button1.Text = "Ask Question" Then
If TextBox1.Text <> "" Then
For Each s As String In invalid
If TextBox1.Text.ToLower.Contains(s) = True Then
errMessage.Text = Server.HtmlEncode("Cannot Contain <h1>,<Script>,<input>,<a> etc tags")
Exit Sub
End If
Next
con = New OleDbConnection("Provider=Microsoft.Jet.Oledb.4.0 ;data source=" & Server.MapPath("app_data/SimpleQSet.mdb") & ";")
com.Connection = con
Session("member") = ""
Dim ran As New Random
Dim qid As String = ran.Next(0, TextBox1.Text.Length)
com.CommandText = "insert into QuestionList values('" + qid + "','" + TextBox1.Text + "','" + DropDownList1.SelectedValue + "','" + DateTime.Now.ToLongDateString() + "','" + Session("member") + "')"
con.Open()
com.ExecuteNonQuery()
Dim pointCnt As New DataTable
pointDs = New OleDbDataAdapter("select [points] from Points where Member='" + Session("member") + "'", con)
pointDs.Fill(pointCnt)
Dim pnt As Integer = pointCnt.Rows(0)(0) + 1
com.CommandText = "update points set [points]='" & pnt & "' where member='" & Session("member") & "'"
com.ExecuteNonQuery()
con.Close()
Else
errMessage.Text = "Question Cannot Be Blank"
End If
Else
Response.Redirect("default.aspx")
End If
End Sub
The problem is that you don't check if there is an answer to yourselect, use the debugger to inspect the variables at position of error.
The problem is that you don't check if there is something inpointCnt, that is a bad habit.
There is nothing inpointCntbecause you never try to put something in it.
In fact, your SQL command is executed inpointDs.
With the help of debugger, you can inspect variables at point of failure, it is usually a great help to understand what is going wrong.
-----
There is a tool that allow you to see what your code is doing, its name is debugger. It is also a great learning tool because it show you reality and you can see which expectation match reality.
When you don't understand what your code is doing or why it does what it does, the answer is debugger.
Use the debugger to see what your code is doing. Just set a breakpoint and see your code performing, the debugger allow you to execute lines 1 by 1 and to inspect variables as it execute.
Debugger - Wikipedia, the free encyclopedia[^]
Visual Basic / Visual Studio Video Tutorial - Basic Debugging - YouTube[^]
Visual Basic .NET programming for Beginners - Breakpoints and Debugging Tools[^]
The debugger is here to show you what your code is doing and your task is to compare with what it should do.
There is no magic in the debugger, it don't find bugs, it just help you to. When the code don't do what is expected, you are close to a bug.
-----
Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
You have the following in your code:
Dim pointCnt As New DataTable
The next time that you referencepointCntvariable is here:
Dim pnt As Integer = pointCnt.Rows(0)(0) + 1
Of course it will fail, there are no data tables configured, you have only configured it as empty.
这篇关于需要帮助session()提交的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
