在发出订单之前检查库存余额 [英] Checking inventory balance before issuing order

问题描述

SqlConnection Connection = new SqlConnection("Data Source=localhost;Initial Catalog=warehousedb;Integrated Security=True ");
                SqlDataAdapter INVadapter = new SqlDataAdapter("Select ItemID, ItemName,  Quantity FROM inventory ", Connection);
                int SelectedDPItem;
                int InventoryQTY;
                int DinventoryQTY;
                //SelectedDPItem = Convert.ToInt32(DropDownListItem_D.SelectedValue);
                SelectedDPItem = int.Parse(DropDownListItem_D.SelectedValue.ToString());
                //  Open Connection
                Connection.Open();
                SqlCommand Inventorychkcommand = new SqlCommand(("Select  Quantity FROM inventory " + ("WHERE (ItemName LIKE \'"
                    + (DropDownListItem_D.Text + "\')"))), Connection);
                InventoryQTY = Convert.ToInt32(Inventorychkcommand.ExecuteScalar());
             
                DinventoryQTY = Convert.ToInt32(txtQuantity_D.Text);
                Connection.Close();

                if (InventoryQTY == 0 || InventoryQTY < DinventoryQTY)

                    ClientScript.RegisterStartupScript(this.GetType(), "key", "<script>alert('sorry , Stock Balance is less than requested quantity. Item cannot be dispatched')</script>");
                    
                else






            {

                // procedure of inserting the record
                 AddNewRecordRowToGrid();

我的尝试：



我尝试使用此代码检查库存是否小于发货数量并给出错误消息，否则将记录添加到网格准备发送。它工作正常，即使减少发送数量小于库存，错误信息仍然显示没有插入到网格发生。请帮助排除故障。

What I have tried:

I have tried using this code to check if inventory is less than dispatch quantity and give error message, else add record to grid ready for dispatch. it works fine only that even after reducing dispatch quantity to be less than inventory, the error message still shows hnce no insert to grid occuring. pls help troubleshoot.

推荐答案

请参阅我对Richard Deeming对问题的优秀评论的评论。在解决问题之前（或者代替它），你必须解决更严重的问题。



你的方法从一开始就是错误的。通过串联从UI获取的字符串组成的查询。不仅重复的字符串连接是低效的（因为字符串是不可变的;我是否必须解释为什么它会使重复连接变坏？），但是有更重要的问题：它打开了通向良好的大门已知的漏洞称为 SQL注入。



这是它的工作原理： http://xkcd.com/327 。



你明白了吗？从控件中获取的字符串可以是任何东西，包括......一段SQL代码。



怎么办？只需阅读有关此问题和主要补救措施：参数化语句： http://en.wikipedia.org/ wiki / SQL_injection 。



使用ADO.NET，使用：http://msdn.microsoft.com/en-us/library/ff648339.aspx 。



请参阅我过去的答案有更多细节：

在com.ExecuteNonQuery中更新EROR（ ）; ，

嗨名字没有显示在名称中？。

-SA

Please see my comment to the excellent comment to the question by Richard Deeming. Before solving your problem (or instead of it), you have to solve much more serious one.

Your approach is wrong from the very beginning. The query composed by concatenation with strings taken from UI. Not only repeated string concatenation is inefficient (because strings are immutable; do I have to explain why it makes repeated concatenation bad?), but there is way more important issue: it opens the doors to a well-known exploit called SQL injection.

This is how it works: http://xkcd.com/327.

Are you getting the idea? The string taken from a control can be anything, including… a fragment of SQL code.

What to do? Just read about this problem and the main remedy: parametrized statements: http://en.wikipedia.org/wiki/SQL_injection.

With ADO.NET, use this: http://msdn.microsoft.com/en-us/library/ff648339.aspx.

Please see my past answers for some more detail:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.

—SA

这篇关于在发出订单之前检查库存余额的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！