如何使用update命令在表中添加带有值的文本框值？ [英] How do I add textbox value with value in table using update command ?

问题描述

用户将在文本框中输入Quantity的值。我希望使用数据库中Quantity列中的值添加此值。我是怎么表演的？



我尝试过：



cmd .CommandText =更新书籍设置数量=数量+ txtUpdateQuantity.Text，其中Name ='+ txtBookName.Text +'和Author ='+ txtBookAuthor.Text +';;

解决方案

不是那样的！永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。请改用参数化查询。

首先，将数值解析为数字变量：

  int 数量; 
  if （！int.TryParse（txtUpdateQuantity.Text， out  qty））
 {
 ...向用户报告问题... 
  return ; 
} 
 

然后尝试这样的事情：

 使用（SqlConnection con =  new  SqlConnection（strConnect））
 {
 con.Open（）; 
 使用（SqlCommand cmd =  new  SqlCommand（   UPDATE Books SET Quantity = Quantity + @QT WHERE [Name] = @NM AND Author = @AU，con））
 { 
 cmd.Parameters.AddWithValue（  @ QT，qty）; 
 cmd.Parameters.AddWithValue（  @ NM，txtBookName.Text）; 
 cmd.Parameters.AddWithValue（  @ AU，txtBookAuthor.Text）; 
 cmd.ExecuteNonQuery（）; 
} 
} 
 

 string qty = txtUpdateQuantity.Text; 
 string book = txtBookName.Text; 
 string author = txtBookAuthor.Text; 
 SqlCommand cmd = new SqlCommand（）; 
 cmd.Connection = con; 
 cmd.CommandText =更新图书集数量=数量+ @qty，其中Name = @ book and Author = @ author; 
 cmd.Parameters.AddWithValue（@ qty，qty）; 
 cmd.Parameters.AddWithValue（@ book，book）; 
 cmd.Parameters.AddWithValue（@ author，作者）; 
 con.Open（）; 
 cmd.ExecuteNonQuery（）; 
 

格式化sql查询字符串是易受攻击到 SQL注入 [ ^ ]攻击

总是使用参数化查询以防止SQL Server中的SQL注入攻击 [ ^

The user will input a value for Quantity in textbox. This value I want to add with the value present in Quantity column in the database. How I perform it ?

What I have tried:

cmd.CommandText = "update Books set Quantity=Quantity + txtUpdateQuantity.Text where Name='"+txtBookName.Text+"' and Author='"+txtBookAuthor.Text+"';";

解决方案

Not like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
First, parse the numeric values to number variables:

int qty;
if (!int.TryParse(txtUpdateQuantity.Text, out qty))
    {
    ... report a problem to the user ...
    return;
    }

Then try something like this:

using (SqlConnection con = new SqlConnection(strConnect))
    {
    con.Open();
    using (SqlCommand cmd = new SqlCommand("UPDATE Books SET Quantity = Quantity + @QT WHERE [Name] = @NM AND Author = @AU", con))
        {
        cmd.Parameters.AddWithValue("@QT", qty);
        cmd.Parameters.AddWithValue("@NM", txtBookName.Text);
        cmd.Parameters.AddWithValue("@AU", txtBookAuthor.Text);
        cmd.ExecuteNonQuery();
        }
    }

string qty = txtUpdateQuantity.Text;
           string book = txtBookName.Text;
           string author = txtBookAuthor.Text;
           SqlCommand cmd = new SqlCommand();
           cmd.Connection = con;
           cmd.CommandText = "update Books set Quantity=Quantity + @qty  where Name=@book and Author=@author ";
           cmd.Parameters.AddWithValue("@qty", qty);
           cmd.Parameters.AddWithValue("@book", book);
           cmd.Parameters.AddWithValue("@author", author);
           con.Open();
           cmd.ExecuteNonQuery();

Formatting the sql Query string is vulnerable to SQL Injection[^] attacks
always use Parameterized queries to prevent SQL Injection Attacks in SQL Server[^]

这篇关于如何使用update命令在表中添加带有值的文本框值？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！