异常错误'System.Web.UI.WebControls.DataControlFieldCell'附近的语法不正确。我该如何解决我的错误 [英] Exception Error Incorrect syntax near 'System.Web.UI.WebControls.DataControlFieldCell'. how can I resolve my error

问题描述

<asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False" EnableModelValidation="True" Width="220px"  >

            <Columns>


                                <asp:BoundField DataField="QUESTION_NO" HeaderText="Q_NO" />
                                <asp:BoundField DataField="QUESTION_DESCRIPTION" HeaderText="DESCRIPTION" />



                <asp:TemplateField HeaderText="ANSWERS">
                    <ItemTemplate>
                        <asp:DropDownList ID="DropDownListUser" runat="server" AutoPostBack="False">
                            <asp:ListItem Text="Yes" Value="True"></asp:ListItem>
                            <asp:ListItem Text="No" Value="False"></asp:ListItem>
                        </asp:DropDownList>
                    </ItemTemplate>
                </asp:TemplateField>



            </Columns>



        </asp:GridView>

string query;
               for (int i = 0; i < GridView1.Rows.Count - 1; i++)
               {

                   query = "insert into student_info values('" + regtxtbox.Text + "','" + gentxtbox.Text + "','" + bactxtbox.Text + "','" + pretxtbox.Text + "','" + gratxtbox.Text + "','" + Unetxtbox.Text + "','" + agetxtbox.Text + "','" + cgptxtbox.Text + "','" + smetxtbox.Text + "','" + sestxtbox.Text + "','" + exptxtbox.Text + "','" + martxtbox.Text + "'.'" + GridView1.Rows[i].Cells[0].ToString() + "','" + GridView1.Rows[i].Cells[2].ToString() + "')";

                   MessageBox.Show("SURVEY INFORMATION HAS BEEN STORED IN DATABASE");

                   SqlCommand cmd = new SqlCommand(query, conobj);

                   cmd.ExecuteNonQuery();
               }

推荐答案

简单：不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。请改用参数化查询。



目前，您可以访问任何有权访问您网站的人：他们可以输入您的任何一个文本框，删除你的数据库。

连接也会导致你的问题，因为

Simple: Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

At the moment, you are wide open to anyone who has access to you site: they can type in any one of your text boxes, and delete your database.
And the concatenation also causes your problem, because

GridView1.Rows[i].Cells[2].ToString()

返回控件名称System.Web.UI.WebControls.DataControlFieldCell而不是它的内容。如果使用参数化查询，则可以直接传递单元格值，而不必先将其转换为字符串。

returns the name of the control, "System.Web.UI.WebControls.DataControlFieldCell" rather than it's content. If you use a parameterised query, you can pass the cell value through directly without converting it to a string first.

这篇关于异常错误'System.Web.UI.WebControls.DataControlFieldCell'附近的语法不正确。我该如何解决我的错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！