收到错误..请验证代码。 [英] Getting an error.. Please verify code.

问题描述

这是我的代码。我正在尝试将arraylist中的arraylist内容传输到ACCESS数据库。运行时出现以下错误：没有给出一个或多个必需参数的值。我无法弄清楚问题是什么。我是新手所以请原谅我的无知，如果有一个愚蠢的错误。

  string  con =   Provider = Microsoft.ACE.OLEDB.12.0; DataSource = | DataDirectory | \\Actual1.accdb ; 
 OleDbConnection cn =  new  OleDbConnection（con）; 
 
  for （i =  0 ; i <  =  3 ; i ++）
 {
  for （j =  0 ; j <  =  3 ; j ++）
 {
  string  column_name =   cl + i; 
 OleDbCommand cmd =  new  OleDbCommand（ 更新表1设置 + column_name +   = + str [i] [j] + < span class =code-string> 其中ID = + i +  < span class =code-string>，cn）; 
 cmd.Connection.Open（）; 
 cmd.ExecuteNonQuery（）; 
 cmd.Connection.Close（）; 
} 
} 

当cmd.executenonquery（）时发生
错误执行。

column_name是cl0。

i = 0.

j = 0.

解决方案

可能，它与str数组中的内容有关。

以这种方式执行它是非常危险的：不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。改为使用参数化查询。

这些更改将同时解决您的问题：

 OleDbCommand cmd =  new  OleDbCommand（  Update Table1 set + column_name +   = @ CL其中ID = + i +  ，cn）; 
 cmd.Parameters.AddWithValue（  @ CL，str [i] [j] ）; 
 cmd.Connection.Open（）; 
 cmd.ExecuteNonQuery（）; 

从技术上讲，ID也应该是一个参数，但由于它是一个int，所以它不是问题。但是文本字符串列内容可以是 任何内容。

在SQL注入时，请参阅： http://en.wikipedia.org/wiki/SQL_injection [ ^ ]。



这是它的工作原理：http://xkcd.com/327 [ ^ ]。 :-)



想法是：用户可以在UI中输入SQL代码片段。请查看我过去的答案：

在com.ExecuteNonQuery（）中更新EROR; [ ^ ]，

你的名字没有显示名称？ [ ^ ]。



这是你应该使用的： http://msdn.microsoft.com/en-us/library/ff648339.aspx [ ^ ]。

-SA

This is my code. I'm trying to transfer contents of arraylist within an arraylist in to a ACCESS database. i get the following error when I run it:No value given for one or more required parameters . i can't figure out what the problem is. I'ma newbie so please forgive my ignorance if there's a stupid mistake.

string con = "Provider=Microsoft.ACE.OLEDB.12.0;DataSource=|DataDirectory|\\Actual1.accdb";
OleDbConnection cn = new OleDbConnection(con);
                   
for (i = 0; i <= 3; i++)
{
  for (j = 0; j <= 3; j++)
  {
    string column_name = "cl" + i;
    OleDbCommand cmd = new OleDbCommand("Update Table1 set "+column_name+"="+str[i][j]+" where ID="+i+"", cn);
    cmd.Connection.Open();
    cmd.ExecuteNonQuery();
    cmd.Connection.Close();
  }
}

error occurs when cmd.executenonquery(); is executed.
column_name is cl0.
i=0.
j=0.

解决方案

Probably, it has to do with the content on your str array.
It's very dangerous to do it that way: Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
The changes are that will cure your problem at the same time:

OleDbCommand cmd = new OleDbCommand("Update Table1 set "+column_name+"=@CL where ID="+i+"", cn);
cmd.Parameters.AddWithValue("@CL", str[i][j]);
cmd.Connection.Open();
cmd.ExecuteNonQuery();

Technically, the ID should be a parameter as well, but since it's an int it's not a problem.But the text string for the column content could be anything.

On SQL injection, please see: http://en.wikipedia.org/wiki/SQL_injection[^].

This is how it works: http://xkcd.com/327[^]. :-)

The idea is: the user can enter a fragment of SQL code in the UI. Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].

This is what you should use: http://msdn.microsoft.com/en-us/library/ff648339.aspx[^].

—SA

这篇关于收到错误..请验证代码。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！