尝试检索并将返回值转换为整数。 [英] Trying to retrieve and convert the return value to an integer.

问题描述

我正在尝试将用户表上的用户ID（pk）与所有者表上的用户ID（fk）进行匹配，但似乎无法正常工作。



我有一个注册表单，它会将所有数据都插入到这两个表格中。



但它给了我和Dono（onwer）上的错误说我需要转换它。



我尝试了什么：



我得到了以下代码：

I'm trying to match the users ID (pk) on the 'users' table, with the users ID (fk) on the 'owners' table, but it seems to not be working.

I got a sign up form, which is going to insert all the data into both this tables.

But it gives me and error on the dono (onwer) saying that I need to convert it.

What I have tried:

I got the following code:

protected void confirmarButton_Click(object sender, EventArgs e)
        {
           // int n = 0;

            if (primeiroNome.Text != "" & nomeDoMeio.Text != "" && sobrenome.Text != "" && dataDeNascimento.Text != "" && enderecoPostal1.Text != "" && cidade.Text != "" && email.Text != "" && username.Text != "" && password.Text != "" && confirmarPassword.Text != "")
            {
                if (password.Text == confirmarPassword.Text)
                {
                    String CS = ConfigurationManager.ConnectionStrings["ClinicaAnimal"].ConnectionString;
                    using (SqlConnection con = new SqlConnection(CS))
                    {

                       // n = userIdNumber();


                        SqlCommand cmd2 = new SqlCommand("Insert into Users ([Username], [Password],[Tipo de User])Values('" + username.Text + "','" + Encrypt(password.Text.Trim()) + "','" + "Dono" + "')", con);
                       // cmd2.Parameters.AddWithValue("@Password", Encrypt(password.Text.Trim()));
                        SqlCommand cmd = new SqlCommand("Insert into Dono ([Primeiro Nome], [Nome do Meio], [Sobrenome], [Data de Nascimento], [Endereço Postal1], [Endereço Postal2], [Cidade], [Email], [UserID])Values('" + primeiroNome.Text + "','" + nomeDoMeio.Text + "','" + sobrenome.Text + "','" + dataDeNascimento.Text + "','" + enderecoPostal1.Text + " ','" + enderecoPostal2.Text + " ','" + cidade.Text + " ','" + email.Text + "','"+ "SELECT SCOPE_IDENTITY()" +"')", con);
                       

                        con.Open();

                        cmd2.ExecuteNonQuery();
                        cmd.ExecuteScalar();
                        

                        Response.Redirect("~/Home.aspx");
                    }
                }
                else
                {

推荐答案

引用：

但是它给了我和dono（onwer）上的错误，说我需要转换它。

But it gives me and error on the dono (onwer) saying that I need to convert it.

尝试告诉确切的错误消息和位置。

Try to tell exact error message ans position.

SqlCommand("Insert into Users ([Username], [Password],[Tipo de User])Values('" + username.Text + "','" + Encrypt(password.Text.Trim()) + "','" + "Dono" + "')", con);

不是你问题的解决方案，而是另一个问题你有。

永远不要通过连接字符串来构建SQL查询。迟早，您将使用用户输入来执行此操作，这会打开一个名为SQL注入的漏洞，这对您的数据库很容易并且容易出错。

名称中的单引号你的程序崩溃。如果用户输入像Brian O'Conner这样的名称可能会使您的应用程序崩溃，那么这是一个SQL注入漏洞，崩溃是最少的问题，恶意用户输入，并且它被提升为具有所有凭据的SQL命令。

SQL注入 - 维基百科 [ ^ ]

SQL注入 [ ^ ]

按示例进行SQL注入攻击 [ ^ ]

PHP：SQL注入 - 手册 [ ^ ]

SQL注入预防备忘单 - OWASP [ ^ ]

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]

嘿那里，



阅读你的问题时最好的猜测是你遇到了麻烦类型转换 [ ^ ]：）



如果你在一个语句中尝试使用错误的数据类型（即字符串而不是int / double / float），那么C＃（和SQL就此而言）通常都会出现问题。



例如：

Hey there,

Best guess from reading your question is that you're having trouble with type casting[^] :)

C# (and SQL, for that matter) will often freak out if you try to use the wrong data type (ie, string instead of int/double/float) in a statement.

For example:

int eight = 0;   // works
eight = "0";     // won't work
eight = 5 + 3;   // works
eight = 5 + "3"; // won't work

您的信息不足问题是告诉你要做什么样的演员，但你可能要做的事情就是这样：

There isn't quite enough information in your question to tell what kind of casting you have to do, but you'll probably have to do something along the lines of this:

// converts the "string" data type to the "int" data type
int casted_value = (int)textbox.Text;

请记住，将变量从一种类型转换为另一种类型会导致如果输入的数据以任何方式格式错误，则会产生不必要的运行时错误 - 例如：

Keep in mind that casting a variable from one type to another will cause unwanted runtime errors if the data being entered is malformed in any way - for example:

string five = "five";

// will throw an error, C# can't recognize spoken words :(
int converted_five = (int)five;

To减轻这种风险，确保在尝试进行类型转换之前以编程方式验证和清除所有数据。



最后，正如上面提到的ppolymorphe - 使用字符串直接连接SQL查询具有极大的安全性风险，并且可能/将导致整个数据库在部署应用程序后立即泄露/损坏/误用：）

To mitigate this risk, make sure you programmatically validate and clean all data before attempting type casting.

Lastly, as ppolymorphe mentioned above - directly concatenating SQL queries using strings has enormous security risks, and can/will lead to your entire database being leaked / corrupted / misused as soon as you deploy your application :)

这篇关于尝试检索并将返回值转换为整数。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！