我想根据当前日期自动从数据库更新剩余天数到datagridview? [英] I want to update the remaining days automatically from database to datagridview according to current date?
本文介绍了我想根据当前日期自动从数据库更新剩余天数到datagridview?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我想根据当前日期自动更新Days_left栏
我尝试过:
< pre>命名空间WindowsFormsApplication3
{
public partial class Form1:Form
{
SqlConnection con = new SqlConnection(@Data Source = DESKTOP-F1TCIFJ; Initial Catalog = tempdb; Integrated Security = True);
private int selectedRow;
public Form1()
{
InitializeComponent();
}
private void Form1_Load(object sender,EventArgs e)
{
//// TODO:这行代码将数据加载到'tempdbDataSet1.khaas'表。您可以根据需要移动或删除它。
//this.khaasTableAdapter.Fill(this.tempdbDataSet1.khaas);
alternateColorChange(dataGridViewKhaas);
dataGridViewKhaas.MultiSelect = false;
}
public void alternateColorChange(DataGridView dgv)
{
dgv.RowsDefaultCellStyle.BackColor = Color.LightBlue ;
dgv.AlternatingRowsDefaultCellStyle.BackColor = Color.White;
}
// ............................... .................... KHAAS START ............................ ........................ //
private void btnKSave_Click(object sender,EventArgs e)
{
if(txtKVNumber.Text ==)
{
string myStringVariable1 = string.Empty;
MessageBox.Show(车号是必需的);
}
else if(cboKVColor.Text ==)
{
string myStringVariable2 = string.Empty;
MessageBox.Show(选择车辆颜色);
}
//对于组合框验证,我们应该遵循以下代码。
else if(cboKVBrand.Text ==)
{
string myStringVariable3 = string.Empty;
MessageBox.Show(选择汽车品牌);
}
else if(cboKVType.Text ==)
{
string myStringVariable12 = string.Empty;
MessageBox.Show(选择车辆类型);
}
// else if(dateTimePickerKhaas.Value.Date ==)
// {
// string myStringVariable4 = string.Empty;
// MessageBox.Show(选择车辆颜色);
//}
else if(txtKOName.Text ==)
{
string myStringVariable5 = string.Empty;
MessageBox.Show(所有者名称是必需的);
}
//否则if(txtKChassisNum.Text ==)
// {
// string myStringVariable6 = string.Empty;
// MessageBox.Show(机箱号是必需的);
//}
else if(txtKCivilID.Text ==)
{
string myStringVariable7 = string.Empty;
MessageBox.Show(需要民事身份证);
}
else if(txtKTelephone.Text ==)
{
string myStringVariable8 = string.Empty;
MessageBox.Show(电话号码是必需的);
}
其他
{
con.Open();
String query =INSERT INTO khaas(VNumber,VColor,VType,VBrand,VEDate,DaysLeft,OName,CivilID,Telephone)VALUES('+ txtKVNumber.Text +','+ cboKVColor.Text + ','+ cboKVType.Text +','+ cboKVBrand.Text +','+ dateTimePickerKhaas.Value.ToString(MM / dd / yyyy)+','+ txtKDaysLeft.Text + ','+ txtKOName.Text +','+ txtKCivilID.Text +','+ txtKTelephone.Text +');
SqlDataAdapter sda = new SqlDataAdapter(query,con);
DataTable dt = new DataTable();
sda.Fill(dt);
dataGridViewKhaas.DataSource = dt;
//sda.SelectCommand.ExecuteNonQuery();
con.Close();
grd_fillKhaas();
MessageBox.Show(成功插入);
txtKVNumber.Text =;
cboKVColor.Text =;
cboKVType.Text =;
cboKVBrand.Text =;
dateTimePickerKhaas.Value = DateTime.Now;
txtKDaysLeft.Text =;
txtKOName.Text =;
//txtKChassisNum.Text =;
txtKCivilID.Text =;
txtKTelephone.Text =;
}
}
public void grd_fillKhaas()
{
//con.Open();
String query =SELECT * FROM khaas;
SqlDataAdapter sda = new SqlDataAdapter(query,con);
DataTable dt = new DataTable();
sda.Fill(dt);
dataGridViewKhaas.DataSource = dt;
//con.Close();
}
private void dateTimePickerKhaas_ValueChanged(object sender,EventArgs e)
{
DateTime from = dateTimePickerKhaas.Value;
DateTime to = DateTime.Now;
TimeSpan Tspan = from - to;
double days = Tspan.TotalDays;
txtKDaysLeft.Text = days.ToString(0);
}
private void btnKUpdate_Click(object sender,EventArgs e)
{
if((txtKVNumber.Text ==)||(cboKVColor.Text = =)||(cboKVType.Text ==)||(cboKVBrand.Text ==)||(txtKDaysLeft.Text ==)||(txtKOName.Text ==)|| (txtKCivilID.Text ==)||(txtKTelephone.Text ==))
{
MessageBox.Show(请选择一个记录为更新);
}
else
{
DialogResult upd = MessageBox.Show(你确定要更新吗?+ txtKVNumber .Text +,Update,MessageBoxButtons.YesNo,MessageBoxIcon.Question);
if(upd == DialogResult.Yes)
{
con.Open();
SqlCommand cmd = new SqlCommand(UPDATE khaas SET VColor ='+ cboKVColor.Text +',VType ='+ cboKVType.Text +',VBrand ='+ cboKVBrand.Text +',VEDate ='+ dateTimePickerKhaas.Value.ToString(MM / dd / yyyy)+',DaysLeft ='+ txtKDaysLeft.Text +',OName ='+ txtKOName.Text +' ,CivilID ='+ txtKCivilID.Text +',Telephone ='+ txtKTelephone.Text +'WHERE VNumber ='+ txtKVNumber.Text +',con);
cmd.ExecuteNonQuery();
con.Close();
MessageBox.Show(记录更新成功!);
// displaydata();
grd_fillKhaas();
// clear();
txtKVNumber.Text =;
cboKVColor.Text =;
cboKVType.Text =;
cboKVBrand.Text =;
dateTimePickerKhaas.Value = DateTime.Now;
txtKDaysLeft.Text =;
txtKOName.Text =;
//txtKChassisNum.Text =;
txtKCivilID.Text =;
txtKTelephone.Text =;
btnKSave.Enabled = true;
}
其他
{
txtKVNumber.Text =;
cboKVColor.Text =;
cboKVType.Text =;
cboKVBrand.Text =;
dateTimePickerKhaas.Value = DateTime.Now;
txtKDaysLeft.Text =;
txtKOName.Text =;
//txtKChassisNum.Text =;
txtKCivilID.Text =;
txtKTelephone.Text =;
btnKSave.Enabled = true;
this.Show();
}
}
}
private void dataGridViewKhaas_CellContentDoubleClick(object sender,DataGridViewCellEventArgs e)
{
if(e.RowIndex == - 1)退货;
selectedRow = e.RowIndex;
DataGridViewRow row = dataGridViewKhaas.Rows [selectedRow];
txtKVNumber.Text = row.Cells [0] .Value.ToString();
cboKVColor.Text = row.Cells [1] .Value.ToString();
cboKVType.Text = row.Cells [2] .Value.ToString();
cboKVBrand.Text = row.Cells [3] .Value.ToString();
//dateTimePicker1.Value = row.Cells [4] .Value.ToString();
txtKDaysLeft.Text = row.Cells [5] .Value.ToString();
txtKOName.Text = row.Cells [6] .Value.ToString();
//txtKChassisNum.Text = row.Cells [7] .Value.ToString();
txtKCivilID.Text = row.Cells [7] .Value.ToString();
txtKTelephone.Text = row.Cells [8] .Value.ToString();
btnKSave.Enabled = false;
}
private void btnKDelete_Click(object sender,EventArgs e)
{
if((txtKVNumber.Text ==)||(cboKVColor.Text = =)||(cboKVType.Text ==)||(cboKVBrand.Text ==)||(txtKDaysLeft.Text ==)||(txtKOName.Text ==)|| (txtKCivilID.Text ==)||(txtKTelephone.Text ==))
{
MessageBox.Show(请选择一个记录为删除);
}
其他
{
DialogResult del = MessageBox.Show(你确定要删除吗?+ txtKVNumber .Text +,删除,MessageBoxButtons.YesNo,MessageBoxIcon.Question);
if(del == DialogResult.Yes)
{
con.Open();
SqlCommand cmd = new SqlCommand(从khaas WHERE中删除(VNumber ='+ txtKVNumber.Text +'),con);
cmd.ExecuteNonQuery();
con.Close();
MessageBox.Show(记录已成功删除!);
// displaydata();
grd_fillKhaas();
// clear();
txtKVNumber.Text =;
cboKVColor.Text =;
cboKVType.Text =;
cboKVBrand.Text =;
dateTimePickerKhaas.Value = DateTime.Now;
txtKDaysLeft.Text =;
txtKOName.Text =;
//txtKChassisNum.Text =;
txtKCivilID.Text =;
txtKTelephone.Text =;
btnKSave.Enabled = true;
}
else
{
txtKVNumber.Text =;
cboKVColor.Text =;
cboKVType.Text =;
cboKVBrand.Text =;
dateTimePickerKhaas.Value = DateTime.Now;
txtKDaysLeft.Text =;
txtKOName.Text =;
//txtKChassisNum.Text =;
txtKCivilID.Text =;
txtKTelephone.Text =;
btnKSave.Enabled = true;
this.Show();
}
}
}
private void btnKClear_Click(object sender,EventArgs e)
{
txtKVNumber.Text =;
cboKVColor.Text =;
cboKVType.Text =;
cboKVBrand.Text =;
dateTimePickerKhaas.Value = DateTime.Now;
txtKDaysLeft.Text =;
txtKOName.Text =;
//txtKChassisNum.Text =;
txtKCivilID.Text =;
txtKTelephone.Text =;
btnKSave.Enabled = true;
this.Show();
}
private void txtKSearch_TextChanged(object sender,EventArgs e)
{
con.Open();
String query =SELECT * FROM khaas WHERE VNumber like'+ txtKSearch.Text +%';
SqlDataAdapter sda = new SqlDataAdapter(query,con);
DataTable dt = new DataTable();
sda.Fill(dt);
dataGridViewKhaas.DataSource = dt;
con.Close();
}
private void btnKPrint_Click(object sender,EventArgs e)
{
DGVPrinter printer = new DGVPrinter();
printer.Title =NAQAL KHAAS; // Header
printer.SubTitle = string.Format(Date {0},DateTime.Now.Date.ToString(MM / dd / yyyy));
printer.SubTitleFormatFlags = StringFormatFlags.LineLimit | StringFormatFlags.NoClip;
printer.PageNumbers = true;
printer.PageNumberInHeader = false;
printer.PorportionalColumns = true;
printer.HeaderCellAlignment = StringAlignment.Near;
printer.Footer =未来国际运输公司; //页脚
printer.FooterSpacing = 15;
printer.PrintDataGridView(dataGridViewKhaas);
}
// ................................... ................... KHAAS结束............................. .......................... //
解决方案
< blockquote>如果你的表已经消失了,我认为sql注入攻击已经发生。
这是可行的,因为你通过附加与之相对应的字符串来创建sql stament用户输入了
INSERT INTO khaas(VNumber,VColor,VType,VBrand,VEDate,DaysLeft,OName,CivilID,Telephone)VALUES('txtKVNumber.Text + ','+ cboKVColor.Text +','+ cboKVType.Text +','+ cboKVBrand.Text +','+ dateTimePickerKhaas.Value.ToString(MM / dd / yyyy)+ ','+ txtKDaysLeft.Text +','+ txtKOName.Text +','+ txtKCivilID.Text +','+ txtKTelephone.Text +');
例如,如果用户在txtKTelepone中键入的内容如下:
999'; 'DROP TABLE khass
你的stament是在INSERT中转换后跟DROP TABLE转换的。
方式解决这种攻击是永远,永远,永远通过附加到字符串使用用户委托,而不是在你的sql stament中使用参数:
字符串查询=INSERT INTO khaas(VNumber,VColor, ......等等...... ,电话)VALUES(@ vnumber,@ vcolor, ......等等,等等...... ,@ telephone);
SqlCommand command = new SqlCommand(query,con);
command.Parameters.AddWithValue(@ vnumber,txtKVNumber.Text);
command.Parameters.AddWithValue(@ vcolor,cboKVColor.Text)
... blah,blah ..
command.Parameters.AddWithValue(@ telephone,txtKTelephone.Text) ;
不喜欢......
开始时有两个问题,一个是微不足道的,一个是非常严重的。
简单易懂:不要对连接字符串进行硬编码。总是使用配置文件(或者至少一个const值,如果你不知道如何使用配置文件) - 硬编码意味着应用程序必须是在您发布代码时,每个连接到您的数据库的地方都会发生变化,这意味着您需要重新测试所有内容时的可靠性问题,但这次是针对生产数据库...
严重的一点是你永远不应该连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。改为使用参数化查询。
数据库表(或其数据)的消失不太可能与您的代码相关 - 除非您在其他地方有特定的代码来执行此操作 - 您需要查看其他访问数据库的内容,但由于SQL实例是通过全名PC规范访问的,而不是本地主机地址,因此很可能其他一些用户或应用程序正在为您删除它
I want update Days_left column automatically according to current date
What I have tried:
<pre>namespace WindowsFormsApplication3
{
public partial class Form1 : Form
{
SqlConnection con = new SqlConnection(@"Data Source=DESKTOP-F1TCIFJ;Initial Catalog=tempdb;Integrated Security=True");
private int selectedRow;
public Form1()
{
InitializeComponent();
}
private void Form1_Load(object sender, EventArgs e)
{
//// TODO: This line of code loads data into the 'tempdbDataSet1.khaas' table. You can move, or remove it, as needed.
//this.khaasTableAdapter.Fill(this.tempdbDataSet1.khaas);
alternateColorChange(dataGridViewKhaas);
dataGridViewKhaas.MultiSelect = false;
}
public void alternateColorChange(DataGridView dgv)
{
dgv.RowsDefaultCellStyle.BackColor = Color.LightBlue;
dgv.AlternatingRowsDefaultCellStyle.BackColor = Color.White;
}
//...................................................KHAAS START....................................................//
private void btnKSave_Click(object sender, EventArgs e)
{
if (txtKVNumber.Text == "")
{
string myStringVariable1 = string.Empty;
MessageBox.Show("Vehicle Number is required");
}
else if (cboKVColor.Text == "")
{
string myStringVariable2 = string.Empty;
MessageBox.Show("Select Vehicle Color");
}
//For combobox validation we should follow the below code.
else if (cboKVBrand.Text == "")
{
string myStringVariable3 = string.Empty;
MessageBox.Show("Select Vehicle Brand");
}
else if (cboKVType.Text == "")
{
string myStringVariable12 = string.Empty;
MessageBox.Show("Select Vehicle Type");
}
//else if (dateTimePickerKhaas.Value.Date == "")
//{
// string myStringVariable4 = string.Empty;
// MessageBox.Show("Select Vehicle Color");
//}
else if (txtKOName.Text == "")
{
string myStringVariable5 = string.Empty;
MessageBox.Show("Owner Name is required");
}
//else if (txtKChassisNum.Text == "")
//{
// string myStringVariable6 = string.Empty;
// MessageBox.Show("Chassis Number is required");
//}
else if (txtKCivilID.Text == "")
{
string myStringVariable7 = string.Empty;
MessageBox.Show("Civil ID is required");
}
else if (txtKTelephone.Text == "")
{
string myStringVariable8 = string.Empty;
MessageBox.Show("Telephone Number is required");
}
else
{
con.Open();
String query = "INSERT INTO khaas (VNumber, VColor, VType, VBrand, VEDate, DaysLeft, OName, CivilID, Telephone) VALUES('" + txtKVNumber.Text + "', '" + cboKVColor.Text + "', '" + cboKVType.Text + "', '" + cboKVBrand.Text + "', '" + dateTimePickerKhaas.Value.ToString("MM/dd/yyyy") + "' ,'" + txtKDaysLeft.Text + "','" + txtKOName.Text + "', '" + txtKCivilID.Text + "', '" + txtKTelephone.Text + "' )";
SqlDataAdapter sda = new SqlDataAdapter(query, con);
DataTable dt = new DataTable();
sda.Fill(dt);
dataGridViewKhaas.DataSource = dt;
//sda.SelectCommand.ExecuteNonQuery();
con.Close();
grd_fillKhaas();
MessageBox.Show("Inserted Successfully");
txtKVNumber.Text = "";
cboKVColor.Text = "";
cboKVType.Text = "";
cboKVBrand.Text = "";
dateTimePickerKhaas.Value = DateTime.Now;
txtKDaysLeft.Text = "";
txtKOName.Text = "";
//txtKChassisNum.Text = "";
txtKCivilID.Text = "";
txtKTelephone.Text = "";
}
}
public void grd_fillKhaas()
{
//con.Open();
String query = "SELECT * FROM khaas";
SqlDataAdapter sda = new SqlDataAdapter(query, con);
DataTable dt = new DataTable();
sda.Fill(dt);
dataGridViewKhaas.DataSource = dt;
//con.Close();
}
private void dateTimePickerKhaas_ValueChanged(object sender, EventArgs e)
{
DateTime from = dateTimePickerKhaas.Value;
DateTime to = DateTime.Now;
TimeSpan Tspan = from - to;
double days = Tspan.TotalDays;
txtKDaysLeft.Text = days.ToString("0");
}
private void btnKUpdate_Click(object sender, EventArgs e)
{
if ((txtKVNumber.Text == "") || (cboKVColor.Text == "") || (cboKVType.Text == "") || (cboKVBrand.Text == "") || (txtKDaysLeft.Text == "") || (txtKOName.Text == "") || (txtKCivilID.Text == "") || (txtKTelephone.Text == ""))
{
MessageBox.Show("Please select a recored to Update");
}
else
{
DialogResult upd = MessageBox.Show("Are you Sure you want to Update?" + txtKVNumber.Text + "", "Update", MessageBoxButtons.YesNo, MessageBoxIcon.Question);
if (upd == DialogResult.Yes)
{
con.Open();
SqlCommand cmd = new SqlCommand("UPDATE khaas SET VColor='" + cboKVColor.Text + "', VType='" + cboKVType.Text + "', VBrand='" + cboKVBrand.Text + "', VEDate='" + dateTimePickerKhaas.Value.ToString("MM/dd/yyyy") + "', DaysLeft='" + txtKDaysLeft.Text + "', OName='" + txtKOName.Text + "', CivilID='" + txtKCivilID.Text + "', Telephone='" + txtKTelephone.Text + "' WHERE VNumber='" + txtKVNumber.Text + "'", con);
cmd.ExecuteNonQuery();
con.Close();
MessageBox.Show("Record Updated Successfully!");
//displaydata();
grd_fillKhaas();
//clear();
txtKVNumber.Text = "";
cboKVColor.Text = "";
cboKVType.Text = "";
cboKVBrand.Text = "";
dateTimePickerKhaas.Value = DateTime.Now;
txtKDaysLeft.Text = "";
txtKOName.Text = "";
//txtKChassisNum.Text = "";
txtKCivilID.Text = "";
txtKTelephone.Text = "";
btnKSave.Enabled = true;
}
else
{
txtKVNumber.Text = "";
cboKVColor.Text = "";
cboKVType.Text = "";
cboKVBrand.Text = "";
dateTimePickerKhaas.Value = DateTime.Now;
txtKDaysLeft.Text = "";
txtKOName.Text = "";
//txtKChassisNum.Text = "";
txtKCivilID.Text = "";
txtKTelephone.Text = "";
btnKSave.Enabled = true;
this.Show();
}
}
}
private void dataGridViewKhaas_CellContentDoubleClick(object sender, DataGridViewCellEventArgs e)
{
if (e.RowIndex == -1) return;
selectedRow = e.RowIndex;
DataGridViewRow row = dataGridViewKhaas.Rows[selectedRow];
txtKVNumber.Text = row.Cells[0].Value.ToString();
cboKVColor.Text = row.Cells[1].Value.ToString();
cboKVType.Text = row.Cells[2].Value.ToString();
cboKVBrand.Text = row.Cells[3].Value.ToString();
//dateTimePicker1.Value = row.Cells[4].Value.ToString("");
txtKDaysLeft.Text = row.Cells[5].Value.ToString();
txtKOName.Text = row.Cells[6].Value.ToString();
//txtKChassisNum.Text = row.Cells[7].Value.ToString();
txtKCivilID.Text = row.Cells[7].Value.ToString();
txtKTelephone.Text = row.Cells[8].Value.ToString();
btnKSave.Enabled = false;
}
private void btnKDelete_Click(object sender, EventArgs e)
{
if ((txtKVNumber.Text == "") || (cboKVColor.Text == "") || (cboKVType.Text == "") || (cboKVBrand.Text == "") || (txtKDaysLeft.Text == "") || (txtKOName.Text == "") || (txtKCivilID.Text == "") || (txtKTelephone.Text == ""))
{
MessageBox.Show("Please select a recored to Delete");
}
else
{
DialogResult del = MessageBox.Show("Are you Sure you want to Delete?" + txtKVNumber.Text + "", "Delete", MessageBoxButtons.YesNo, MessageBoxIcon.Question);
if (del == DialogResult.Yes)
{
con.Open();
SqlCommand cmd = new SqlCommand("DELETE from khaas WHERE (VNumber='" + txtKVNumber.Text + "')", con);
cmd.ExecuteNonQuery();
con.Close();
MessageBox.Show("Record Deleted Successfully!");
//displaydata();
grd_fillKhaas();
//clear();
txtKVNumber.Text = "";
cboKVColor.Text = "";
cboKVType.Text = "";
cboKVBrand.Text = "";
dateTimePickerKhaas.Value = DateTime.Now;
txtKDaysLeft.Text = "";
txtKOName.Text = "";
//txtKChassisNum.Text = "";
txtKCivilID.Text = "";
txtKTelephone.Text = "";
btnKSave.Enabled = true;
}
else
{
txtKVNumber.Text = "";
cboKVColor.Text = "";
cboKVType.Text = "";
cboKVBrand.Text = "";
dateTimePickerKhaas.Value = DateTime.Now;
txtKDaysLeft.Text = "";
txtKOName.Text = "";
//txtKChassisNum.Text = "";
txtKCivilID.Text = "";
txtKTelephone.Text = "";
btnKSave.Enabled = true;
this.Show();
}
}
}
private void btnKClear_Click(object sender, EventArgs e)
{
txtKVNumber.Text = "";
cboKVColor.Text = "";
cboKVType.Text = "";
cboKVBrand.Text = "";
dateTimePickerKhaas.Value = DateTime.Now;
txtKDaysLeft.Text = "";
txtKOName.Text = "";
//txtKChassisNum.Text = "";
txtKCivilID.Text = "";
txtKTelephone.Text = "";
btnKSave.Enabled = true;
this.Show();
}
private void txtKSearch_TextChanged(object sender, EventArgs e)
{
con.Open();
String query = "SELECT * FROM khaas WHERE VNumber like'" + txtKSearch.Text + "%'";
SqlDataAdapter sda = new SqlDataAdapter(query, con);
DataTable dt = new DataTable();
sda.Fill(dt);
dataGridViewKhaas.DataSource = dt;
con.Close();
}
private void btnKPrint_Click(object sender, EventArgs e)
{
DGVPrinter printer = new DGVPrinter();
printer.Title = "NAQAL KHAAS"; //Header
printer.SubTitle = string.Format("Date {0}", DateTime.Now.Date.ToString("MM/dd/yyyy"));
printer.SubTitleFormatFlags = StringFormatFlags.LineLimit | StringFormatFlags.NoClip;
printer.PageNumbers = true;
printer.PageNumberInHeader = false;
printer.PorportionalColumns = true;
printer.HeaderCellAlignment = StringAlignment.Near;
printer.Footer = "Future International Transport Company"; //Footer
printer.FooterSpacing = 15;
printer.PrintDataGridView(dataGridViewKhaas);
}
//......................................................KHAAS END.......................................................// 解决方案
If your table have disappeared, I think a sql injection attack have ocurred.
This is posible because you create the sql stament by appending strings that corresponds with what the user have typed
"INSERT INTO khaas (VNumber, VColor, VType, VBrand, VEDate, DaysLeft, OName, CivilID, Telephone) VALUES('" + txtKVNumber.Text + "', '" + cboKVColor.Text + "', '" + cboKVType.Text + "', '" + cboKVBrand.Text + "', '" + dateTimePickerKhaas.Value.ToString("MM/dd/yyyy") + "' ,'" + txtKDaysLeft.Text + "','" + txtKOName.Text + "', '" + txtKCivilID.Text + "', '" + txtKTelephone.Text + "' )";
If, for example, the user type in the txtKTelepone somethig like:
999' ; 'DROP TABLE khass
your stament is converted in a INSERT followed by a DROP TABLE.
The way to solve this kind of attack is never, never, never use the user entrys by appending to string, instead use parameters in your sql stament:
String query = "INSERT INTO khaas (VNumber, VColor, ... blah blah... , Telephone) VALUES(@vnumber,@vcolor, ... blah, blah... , @telephone )"; SqlCommand command= new SqlCommand(query,con); command.Parameters.AddWithValue("@vnumber",txtKVNumber.Text); command.Parameters.AddWithValue("@vcolor",cboKVColor.Text) ... blah, blah.. command.Parameters.AddWithValue("@telephone",txtKTelephone.Text);
Not like that...
Two problems to start with, one trivial, one very serious.
The trivial one is easy: don't hard-code connection strings. Always use a configuration file (or at the very least a singleconstvalue if you don;t know how to use configuration files yet) - hard coding means the application has to be changed in every place that connects to your DB when you release the code, and that means reliability problems as you need to retest everything, but against a production DB this time...
The serious one is that you should never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
The disappearance of the DB table (or it's data) is unlikely to be related to your code - unless you have specific code elsewhere to do that - you need to look at what else accesses the DB, but since the SQL instance is accessed via a "whole name" PC specification, rather than a "localhost" address, it's quite possible that some other user or application is deleting it for you.
这篇关于我想根据当前日期自动从数据库更新剩余天数到datagridview?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
