从访问数据库维护会话时出错. [英] Session maintaining from access database having error.
本文介绍了从访问数据库维护会话时出错.的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
以下是错误.
The following is error.
Data type mismatch in criteria expression.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.OleDb.OleDbException: Data type mismatch in criteria expression.
Source Error:
Line 27: string sql = "select count(*) from generate where roll_no =' +TextROLL.Text +'";
Line 28: OleDbCommand checkuser = new OleDbCommand(sql, con);
Line 29: int temp = Convert.ToInt32(checkuser.ExecuteScalar().ToString());
Line 30: if (temp == 1)
Line 31: {
Source File: e:\placement cell\studlgn.aspx.cs Line: 29
整个代码如下.
The whole code is below.
protected void Btnlgin_Click(object sender, EventArgs e)
{
OleDbConnection con = new OleDbConnection();
//con.ConnectionString = WebConfigurationManager.ConnectionStrings["sl"].ConnectionString;
con.ConnectionString = @"Provider=Microsoft.Jet.OLEDB.4.0; Data Source=E:\placement cell\project.mdb";
con.Open();
//string sql= "SELECT roll_no FROM generate WHERE roll_no = '"+TextROLL.Text+"'";
string sql = "select count(*) from generate where roll_no =' "+TextROLL.Text +"'";
OleDbCommand checkuser = new OleDbCommand(sql, con);
int temp = Convert.ToInt32(checkuser.ExecuteScalar().ToString());
if (temp == 1)
{
string sql2 = "select pwd from generate where roll_no= '" + TextROLL.Text + "'";
OleDbCommand pass = new OleDbCommand(sql2, con);
string pwd = pass.ExecuteScalar().ToString();
con.Close();
if (pwd == TextPWD.Text)
{
Session["new"] = TextROLL.Text;
Response.Redirect("student.aspx");
}
else
{
lblStatus.Visible = true;
lblStatus.Text = "invalid password";
}
}
else
{
lblStatus.Visible = true;
lblStatus.Text = "invalid password";
}
}
推荐答案
要添加到Marcus所说的内容,请不要那样访问您的数据库.
通过串联字符串以形成查询,您可以轻松应对意外或蓄意的SQL Injection攻击.请改用参数化查询:
To add to what Marcus says, please do not access your database like that anyway.
By concatenating strings to form your query, you leave yourself wide open to accidental or deliberate SQL Injection attacks. Use parametrized queries instead:
string sql2 = "select pwd from generate where roll_no=@RN";
OleDbCommand pass = new OleDbCommand(sql2, con);
pass.Parameters.AddwithValue("@RN", TextROLL.Text);
您还应该关闭并处理连接和命令对象-using块可能是执行此操作的最干净方法.
You also should close and dispose of your connection and command objects - using blocks are probably the cleanest way to do this.
我的直觉是数据库中的"roll_no"字段不是"为字符串类型,但为数字,在这种情况下,需要从查询中删除单引号.
My hunch is that the "roll_no" field in your database isn''t a string type, but a number in which case the single quote needs to be removed from your query.
这篇关于从访问数据库维护会话时出错.的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
