请帮助我,我得到错误必须声明标量变量“@ branch”。 [英] Please help me I got error must declare the scalar variable "@branch".
问题描述
public partial class Add_question:System.Web.UI.Page
{
protected void Page_Load(object sender,EventArgs e)
{
// if(!Page.IsPostBack)
// {
// DropDownList1.DataSource = DropDownList1.SelectedItem.Value;
// DropDownList1.DataBind();
//}
}
protected void Button1_Click(object sender,EventArgs e)
{
SqlConnection con = new SqlConnection(@Data Source =(LocalDB)\ v11.0; AttachDbFilename = F:\ AAAAAAAAAAA \ FINGERPRINT \APP_DATA \ QUESTIONS.MDF; Integrated Security = True; );
con.Open();
string str;
str =插入[问题](分支)值(@Branch )(Semister)值(@Semister)(Marks)值(@Marks)(Questions)值('+ TextBox1.Text +');
SqlCommand cmd = new SqlCommand(str, con);
cmd.ExecuteNonQuery();
con.Close();
}
}
我尝试过:
i尝试了其他一些方法,但我得到了同样的错误
public partial class Add_question : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
//if (!Page.IsPostBack)
//{
// DropDownList1.DataSource = DropDownList1.SelectedItem.Value;
// DropDownList1.DataBind();
//}
}
protected void Button1_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(@"Data Source=(LocalDB)\v11.0;AttachDbFilename=F:\AAAAAAAAAAA\FINGERPRINT\APP_DATA\QUESTIONS.MDF;Integrated Security=True;");
con.Open();
string str;
str = "insert into [questions] (Branch) values (@Branch) (Semister) values (@Semister) (Marks) values (@Marks) (Questions) values ('" + TextBox1.Text + "')";
SqlCommand cmd = new SqlCommand(str,con);
cmd.ExecuteNonQuery();
con.Close();
}
}
What I have tried:
i have try some other way but i got same error
推荐答案
请,了解你在做什么。
你哈我们在互联网上找到了一些代码,并将其中的一些代码复制到您的代码中,而没有考虑它应该如何工作。然后你添加了一些代码来尝试使它以不同的方式工作。
这是无效的SQL,它容易受到SQL注入,你的用户可能会损坏或删除你的数据库,它缺少所有参数值,很明显你不知道你在做什么。
你要插入一行的基本SQL是这样的:
Please, learn what you are doing.
You have found some code on the internet, and copied some of it into your code without thinking about how it's supposed to work. You've then added some code to try and make it work differently.
That's not valid SQL, it's vulnerable to SQL Injection where your user can damage or delete your database, it's missing all the parameter values, and it's clear you don't know what you are doing.
The basic SQL you want to insert a row is like this:
INSERT INTO MyTableName (firstColumnNameToInsertInto, secondColumnNameToInsertInto, ...) VALUES (valueToInserttoColumn1, valueToInsertToColumn2, ...)但是你将混合参数(你没有提供)和字符串连接 - 以及串联是个大问题:
But you are then mixing parameters (which you don't provide) with string concatenation - and the concatenation is a big problem:
string sql = "INSERT INTO MyTable (MyColumn) VALUES ('" + myTextBox.Text + "')";这是字符串连接,它为您的用户提供了对数据库的完全控制 - 只是通过在文本框中输入,他可以做任何他喜欢的事情。
永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。改为使用参数化查询。
但是当你使用参数化查询时:
That's string concatenation, and it gives total control of you DB to your user - just by typing in the text box he can do anything he likes.
Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
But when you do use parameterised queries:
string sql = "INSERT INTO MyTable (MyColumn) VALUES (@MyValue)";
您必须提供参数值:
You have to supply the parameter value:
int myValueForTheColumn = 666;
string sql = "INSERT INTO MyTable (MyColumn) VALUES (@MyValue)";
SqlCommand cmd = new SqlCommand(sql, connection);
cmd.Parameters.AddWithValue("@MyValue", myValueForTheColumn);
想想那个地段,看看你是否可以找出你需要用什么代码来实现它 - 这并不困难!
让我知道你是怎么过的。
Think about that lot, and see if you can work out what code you need to use to get this to work - it's not difficult!
Let me know how you get on.
这篇关于请帮助我,我得到错误必须声明标量变量“@ branch”。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
