在ASP.NET中更新下拉列表 [英] update dropdownlist in ASP.NET

问题描述

我有一个处理更新下拉列表的任务.当下拉列表中的值更改时，它必须在数据库中更改.因此，要从另一个表中检索要更新值的条件.我试过了，但是它抛出错误信息

将varchar值转换为数据类型int时转换失败."

Hi,

I have a task which deals with updating dropdownlist. When the value is changed in dropdown list it has to change in database. So the condition for which the value is to be updated is to be retrieved from another table . I tried that but it is throwing a error messaage

"Conversion failed when converting the varchar value to data type int".

protected void Button3_Click(object sender, EventArgs e)
    {
con.open(); 
cmd = new SqlCommand("update marriage_configuration set page_theme = ('" + DropDownList1.SelectedItem + "') where u_e_id=(select R_id from users where Email_id=R_id)", con);
}

推荐答案

1)使用Paramterized Commands完成您的工作.您对这种方式的SQL注入持开放态度.
2)DropDownList1.SelectedItem将返回一个对象，而不是查询所期望的整数.最简单的解决方案是将列表中的每个项目的ListItem.Value属性设置为integer.ToString().然后，在构建查询时，可以使用Convert.ToInt32(DropDownList1.SelectedValue)作为参数.我更喜欢以下语法来解析整数，而不是Convert.ToInt32语法.

1) Use Paramterized Commands to do your work. You are wide open to sql injection this way.
2) DropDownList1.SelectedItem will return an object, not an integer as your query expects. The easiest solution would be to set the ListItem.Value property to an integer.ToString() for each item in your list. Then when you build your query you can use the Convert.ToInt32(DropDownList1.SelectedValue) as your argument. I prefer the following syntax for parsing an integer as opposed to the Convert.ToInt32 syntax.

int selectedValue;
if( Int32.TryParse( DropDownList1.SelectedValue, out selectedValue ) )
   // Do your query
else
   // The TryParse failed so you have an invalid selectedValue.

如果page_theme是一个int，则需要提供一个int才能使更新生效:

If page_theme is an int, you need to supply it an int for your update to work:

protected void Button3_Click(object sender, EventArgs e)
    {
con.open();
cmd = new SqlCommand("update marriage_configuration set page_theme = " + DropDownList1.SelectedItem.Value + " where u_e_id=(select R_id from users where Email_id=R_id)", con);
}

将您连接的值引用为sql字符串意味着它不会被解释为整数，更可能是某种字符串类型.

另外，永远不要那样连接SQL字符串.您只是想通过SQL注入方式被黑客入侵.使用参数化查询:

https://www.owasp.org/index.php/SQL_Injection [

Quoting a value you concatenate into a sql string means it won''t be interpreted as an integer, more likely a string type of some sort.

Also, don''t ever concatenate SQL strings like that. You''re just asking to get hacked by means of SQL injection. Use parameterized queries:

https://www.owasp.org/index.php/SQL_Injection[^]

这篇关于在ASP.NET中更新下拉列表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！