ASP.NET，MS SQL表插入代码的问题 [英] problems with ASP.NET, MS SQL Table Insert Code

问题描述

嗨
我有一个问题，我无法弄明白。我搜索了很多网站，但我仍然不明白为什么会失败。



我尝试将数据输入到sql表中



主页面文件的一部分test2.aspx

Hi I have a problem I can not figure out. And I have searched through many websites and I still do not understand why it fails.

I try to enter data into a sql table

Part of Main Page File test2.aspx

<%@ Page Title="test2" Language="VB" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="test2.aspx.vb" Inherits="WebApplication1._Default" %>

<asp:Content runat="server" ID="FeaturedContent" ContentPlaceHolderID="FeaturedContent"> 
    </asp:Content>

<asp:Content runat="server" ID="BodyContent" ContentPlaceHolderID="MainContent">
    <asp:TextBox ID="TextBoxL" runat="server"></asp:TextBox>
    <asp:TextBox ID="TextBoxLM" runat="server"></asp:TextBox>
    <asp:TextBox ID="TextBoxM" runat="server"></asp:TextBox>
    <asp:TextBox ID="TextBoxRM" runat="server"></asp:TextBox>
    <asp:TextBox ID="TextBoxR" runat="server"></asp:TextBox>
<asp:Button ID="Buttonismine" runat="server" Text="Click Me" />
    
</asp:Content>
<asp:Content ID="Content1" runat="server" contentplaceholderid="HeadContent">
    </asp:Content>

代码文件test2.aspx.vb

The code File test2.aspx.vb

Imports System.Data.SqlClient
Partial Class _Default
    Inherits System.Web.UI.Page
    Dim con As SqlConnection
    Dim cmd As SqlCommand
    Protected Sub Buttonismine_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Buttonismine_Click

        con = New SqlConnection("Data Source=VNW8;Initial Catalog=Events;Integrated Security=True")
        cmd = New SqlCommand("INSERT INTO World (why,would,you,not,work)VALUES(@R1, @R2, @R3, @R4, @R5)", con)
        cmd.Parameters.AddWithValue("@R1", TextBoxL.Text)
        cmd.Parameters.AddWithValue("@R2", TextBoxLM.Text)
        cmd.Parameters.AddWithValue("@R3", TextBoxM.Text)
        cmd.Parameters.AddWithValue("@R4", TextBoxRM.Text)
        cmd.Parameters.AddWithValue("@R5", TextBoxR.Text)
        cmd.ExecuteNonQuery()
        con.Close()
    End Sub
End Class

这就是我在SQL Server Managment Studio中创建表格的方式

And this is how i created the table in SQL Server Managment Studio

CREATE TABLE [dbo].[World](
	[ID] [int] IDENTITY(1,1) NOT NULL,
	[why] [varchar](50) NULL,
	[would] [varchar](50) NULL,
	[you] [varchar](50) NULL,
	[not] [nvarchar](50) NULL,
	[work] [nvarchar](50) NULL,
 CONSTRAINT [PK_Servers] PRIMARY KEY CLUSTERED 
(

感谢您提出的所有好建议。现在我有一些我必须要看的新错误。



处理Buttonismine_click是预期的

TextBoxL未声明。由于其保护级别，它可能无法访问。

未声明TextBoxLM。由于其保护级别，它可能无法访问。

未声明TextBoxM。由于其保护级别，它可能无法访问。

未声明TextBoxRM。由于其保护级别，它可能无法访问。

未声明TextBoxR。由于其保护级别，它可能无法访问。

Thanks for all the great suggestions. and now I've got some new errors I have to look at.

"handles Buttonismine_click" is Expected
TextBoxL is not declared. It may be inaccessible due to its protection level.
TextBoxLM is not declared. It may be inaccessible due to its protection level.
TextBoxM is not declared. It may be inaccessible due to its protection level.
TextBoxRM is not declared. It may be inaccessible due to its protection level.
TextBoxR is not declared. It may be inaccessible due to its protection level.

推荐答案

我仍然不明白为什么会失败。



这个错误报告并不多 - 它没有告诉我们这个问题。



但......你在这里犯了一个很大的错误，这可能是你问题的原因。

"I still do not understand why it fails."

This isn't much as error reports go - it tells us nothing much about the problem.

But...there is a very big mistake you are making here, which may be the cause of your problem.

cmd = New SqlCommand("INSERT INTO Table1 (row1,row2,row3,row4,row5)VALUES('" + TextBox1.Text + "','" + TextBox2.Text + "','" + TextBox3.Text + "','" + TextBox4.Text + "','" + TextBox5.Text + "')", con)

不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。请改用参数化查询。

Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

cmd = New SqlCommand("INSERT INTO Table1 (row1,row2,row3,row4,row5)VALUES(@R1, @R2, @R3, @R4, @R5)", con)
cmd.Parameters.AddWithValue("@R1", TextBox1.Text)
cmd.Parameters.AddWithValue("@R1", TextBox2.Text)
cmd.Parameters.AddWithValue("@R1", TextBox3.Text)
cmd.Parameters.AddWithValue("@R1", TextBox4.Text)
cmd.Parameters.AddWithValue("@R1", TextBox5.Text)

很有可能这也可以解决你的问题。



请：为了你自己的利益（以及在维护期间必须跟踪并清理混乱的可怜的草皮）停止使用默认名称。即使是测试，使用TextBoxN和RowN和TableN 当你不记得哪个文本框保存了什么价值时，这是一种愚蠢，懒惰和错误的来源。因此，使用描述控件，行和表所包含内容的名称。它不需要很长时间，而且它更容易使用 - Intellisense为您排序！

There is a good chance that this will cure your problem as well.

And please: for your own sake (and that of the poor sods who have to come after you and clear up the mess during maintenance) stop using default names for things. Even for testing, using "TextBoxN" and "RowN" and "TableN" is silly, lazy and a source of errors later when you can't remember which text box hold what value. So use names that describe what the controls, rows, and tables hold. It doesn't take long, and it really is easier to work with - Intellisense sorts it out for you!

这篇关于ASP.NET，MS SQL表插入代码的问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！