我需要帮助将一些值从Web应用程序插入数据库中 [英] I need help to insert some values into a database from my web application
问题描述
您好,我正在尝试向数据库中插入一些数据,我正在尝试设计一个演示航空公司预订站点以供学习.该网页具有4个dropdownlist控件.我写给按钮单击事件的代码一直给我一个奇怪的错误,因为我是vb的新手,我不知道我在哪里弄错了.以下是我为按钮cliok事件编写的代码
hello i am trying to insert some data into a database,i am trying to design a demo airline reservation site for learning purpose.The web page has 4 dropdownlist control. The code i have written to the button click events keeps giving me a weird error since i am a novice at vb i don''t know where i am getting it wrong.Below is the code i wrote for the button cliok events
Protected Sub txtbutt1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles txtbutt1.Click
Try
Dim cmd As New SqlCommand
Dim conn As New SqlConnection
Dim str, mydate As String
conn.ConnectionString = ConfigurationManager.ConnectionStrings("AirportConnectionString1").ConnectionString
cmd.Connection = conn
conn.Open()
cmd.CommandType = CommandType.Text
mydate = drpDown1.Text & "/" & drpDown2.Text & "/" & drpDown3.Text
str = " Insert into tblReservedFlight (DepartFrom,DepartTo,LeavingDate,ReturnDate) values ('" & txtLeaving.SelectedItem & "','" & txtGoing.SelectedItem & "','" & mydate & "', '" & "" & "')"
cmd.CommandText = str
cmd.ExecuteNonQuery()
Catch ex As Exception
它给出的错误是未为类型"string"和"system.web.UI.webcontrols.Listitems;"定义类型&".
我整天都在为此苦苦挣扎,任何帮助将不胜感激.
谢谢
请我被建议使用参数,我想我已经做到了.但是它无法在数据库中插入选定的值,请有人告诉我我仍然做错了.我仍然感谢大家.新修订的代码.
谢谢@all
受保护的Sub txtbutt1_Click(ByVal发送者作为对象,ByVal e作为System.EventArgs)处理txtbutt1.Click
试试
昏暗的cmd作为新的SqlCommand
昏暗conn作为新的SqlConnection
Dim str,mydate作为String
将Dim参数设置为新的SqlParameter
mydate = drpDown1.Text& "/"& drpDown2.Text& "/"& drpDown3.Text
cmd.Parameters.Add("@ departfrom",SqlDbType.VarChar,50).Value = txtLeaving.SelectedItem
cmd.Parameters.Add("@ departto",SqlDbType.VarChar,50).Value = txtGoing.SelectedItem
cmd.Parameters.Add("@ leavingdate",SqlDbType.DateTime).Value = mydate
conn.ConnectionString = ConfigurationManager.ConnectionStrings("AirportConnectionString1").ConnectionString
cmd.Connection = conn
conn.Open()
cmd.CommandType = CommandType.Text
str =插入到tblReservedFlight(DepartFrom,DepartTo,LeavingDate,)值(@departfrom,@departto,@leavingdate)"
cmd.CommandText = str
cmd.ExecuteNonQuery()
异常捕获
结束尝试
结束子
End Class
the error it gives is operator ''&'' is not defined for type ''string'' and ''system.web.UI.webcontrols.Listitems;.
i have struggled with it all day any help will be greatly appreciated.
Thanks
Please i was advised to use parameters and i think i have done that. but it fails to insert the selected values in the data base please someone should tell me what i am still doing wrong.i remain grateful to everyone.the new revised code.
thanks @all
Protected Sub txtbutt1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles txtbutt1.Click
Try
Dim cmd As New SqlCommand
Dim conn As New SqlConnection
Dim str, mydate As String
Dim param As New SqlParameter
mydate = drpDown1.Text & "/" & drpDown2.Text & "/" & drpDown3.Text
cmd.Parameters.Add("@departfrom", SqlDbType.VarChar, 50).Value = txtLeaving.SelectedItem
cmd.Parameters.Add("@departto", SqlDbType.VarChar, 50).Value = txtGoing.SelectedItem
cmd.Parameters.Add("@leavingdate", SqlDbType.DateTime).Value = mydate
conn.ConnectionString = ConfigurationManager.ConnectionStrings("AirportConnectionString1").ConnectionString
cmd.Connection = conn
conn.Open()
cmd.CommandType = CommandType.Text
str = " Insert into tblReservedFlight (DepartFrom, DepartTo, LeavingDate,) values (@departfrom, @departto, @leavingdate)"
cmd.CommandText = str
cmd.ExecuteNonQuery()
Catch ex As Exception
End Try
End Sub
End Class
推荐答案
首先,不要将文字值直接从应用程序连接到SQL语句.为了防止SQL注入等,请使用 SqlParameter [ ^ ]
关于错误,请不要直接从SelectedItem设置值.根据您定义的数据源,从您在DataValueField中定义的项目的实际数据源中获取值.
第三件事,好像您正在将日期作为文本来处理.如果仅仅是因为您没有使用过参数,那么在定义SqlParameter对象时这将更正.但是,如果还定义了基础表,以便将日期存储在varchar列中,则建议使用date或datetime代替.
First of all, don''t concatenate literal values from your application directly to your SQL statement. To be safe from SQL injections etc, use SqlParameter[^]
About the error, don''t set the value directly fromSelectedItem. Depending on the data source you have defined, take the value from the actual data source from the item which you have defined inDataValueField.
Third thing, looks like you''re handling dates as text. If it''s only because you haven''t used parameters, that''ll correct when you define the SqlParameter objects. However if the underlying table is also defined so that the date is stored in avarcharcolumn, I''d suggest using eitherdateordatetimeinstead.
[在除了正确答案我的Mika,解决方案1:]
您可以根据用户提供的数据来组成数据库命令字符串. 永远不要这样做,因为这些用户提供的字符串可以是任何东西.甚至是SQL的某些片段.从安全的角度来看,这是不可接受的,因为它为众所周知的 SQL注入漏洞利用打开了大门.请参阅其上的一篇文章,并注意参数化语句的重要性:
http://en.wikipedia.org/wiki/SQL_injection [ http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx [ ^ ].
另外,不要认为在其他情况下可以进行这么多的字符串连接.问题是:字符串是不可变的,因此重复连接是相当大的性能泄漏.我什至要解释为什么吗?类System.Text.StringBuilder和方法string.Format都没有此问题.
—SA
[In addition to the correct answer my Mika, Solution 1:]
You compose your DB command string out of data supplied by the user. You should never do it, because those user-supplied strings could be anything. Even some fragments of SQL. This is unacceptable from the security standpoint, because it opens wide doors to a well-know exploit called SQL injections. Please see an article on it and pay attention for the importance of parametrized statements:
http://en.wikipedia.org/wiki/SQL_injection[^].
Please read on using command parameters:
http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx[^].
Also, don''t think that you can do so many string concatenations in other cases. The problem is: strings are immutable, so repeated concatenation is a considerable performance leak. Should I even explain why? The classSystem.Text.StringBuilderand the methodstring.Formatare free from this problem.
—SA
这篇关于我需要帮助将一些值从Web应用程序插入数据库中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
