请帮我解决这个代码我收到错误 [英] Please help me to solve this code I'm getting error
本文介绍了请帮我解决这个代码我收到错误的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
string ID = GridView1.Rows[e.RowIndex].Cells[0].Text; //ID
string Name = ((TextBox)GridView1.Rows[e.RowIndex].Cells[1].Controls[0]).Text; //Company
string Address = ((TextBox)GridView1.Rows[e.RowIndex].Cells[2].Controls[0]).Text; //Name
string Gender = ((RadioButtonList)GridView1.Rows[e.RowIndex].Cells[3].Controls[0]).Text; //Title
string Country = ((DropDownList)GridView1.Rows[e.RowIndex].Cells[4].Controls[0]).Text; //Address
string State = ((DropDownList)GridView1.Rows[e.RowIndex].Cells[5].Controls[0]).Text; //Country
string City = ((DropDownList)GridView1.Rows[e.RowIndex].Cells[5].Controls[0]).Text; //Country
SqlCommand cmd = new SqlCommand("update SubmitData set Name='" + Name + "',Address='" + Address + "',Gender='" + Gender + "',Country='" + Country + "',State='" + State + "',City='" + City + "' where ID = ID", con);
GridView1.EditIndex = -1;
GetData();
我的尝试:
我尝试了所有的事情,但它没有给我欲望输出,值也是null plz帮助我
What I have tried:
I'v tried all thing but it not given me desire output and the value also be null plz help me
推荐答案
SqlCommand cmd = new SqlCommand("update SubmitData set Name='" + Name + "',Address='" + Address + "',Gender='" + Gender + "',Country='" + Country + "',State='" + State + "',City='" + City + "' where ID = ID", con);
当然不是你的错误,但我担心这部分是错误的。
评论:你构建SQL推荐的方式是一个坏主意因为一个意外的参数可能会破坏推荐和恶意参数可以导致SQL注入攻击。
SQL注入 - 维基百科,免费的百科全书 [ ^ ]
SQL注入 [ ^ ]
Certainly not your error, but I fear the part is wrong.
Comment: your way to construct the SQL commend is a bad idea because an unexpected parameter can break the commend, and a malicious parameter can lead to a hack with SQL injection.
SQL injection - Wikipedia, the free encyclopedia[^]
SQL Injection[^]
由于您的评论与您要分配的变量的名称不匹配,我猜你是'将错误的值重新放入更新语句中。 (参见下面的 ** MISMATCH ** 评论!)
另外,你的where子句是错误的。你没有使用GridView行中的ID值。
我没有看到你构造的SqlCommand实际被执行了!
您的代码容易受到 SQL注入的攻击[ ^ ]。
它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。
从不使用字符串连接来构建SQL查询。 始终使用参数化查询。类似于:
Since your comments don't match the names of the variables to which you are assigning, I'd guess that you're putting the wrong values into your update statement. (See **MISMATCH** comments below!)
Also, your where clause is wrong. You aren't using the ID value from the row of the GridView.
I don't see the SqlCommand you construct actually being executed!
Your code is vulnerable to SQL injection[^].
It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database.
NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query. Something like:
// verify that e.RowIndex is valid!
TableCellCollection theRowCells = GridView1.Rows[e.RowIndex].Cells;
string ID = theRowCells[0].Text; //ID
string Name = ((TextBox)theRowCells[1].Controls[0]).Text; //Company **MISMATCH**
string Address = ((TextBox)theRowCells[2].Controls[0]).Text; //Name **MISMATCH**
string Gender = ((RadioButtonList)theRowCells[3].Controls[0]).Text; //Title **MISMATCH**
string Country = ((DropDownList)theRowCells[4].Controls[0]).Text; //Address **MISMATCH**
string State = ((DropDownList)theRowCells[5].Controls[0]).Text; //Country **MISMATCH**
string City = ((DropDownList)theRowCells[5].Controls[0]).Text; //Country **MISMATCH**
// These last two both reference cells[5]!!!
// assuming you've straightened out the values to variables correlation at this point:
using (SqlCommand cmd = new SqlCommand("UPDATE SubmitData SET Name=@NAME, Address=@ADR, Gender=@G, Country=@CNTRY, State=@ST, City=@CITY where ID = @ID", con))
{
cmd.Parameters.AddWithValue("@NAME", Name);
cmd.Parameters.AddWithValue("@ADR", Address);
cmd.Parameters.AddWithValue("@G", Gender);
cmd.Parameters.AddWithValue("@CNTRY", Country);
cmd.Parameters.AddWithValue("@ST", State);
cmd.Parameters.AddWithValue("@CITY", City);
cmd.Parameters.AddWithValue("@ID", ID);
con.Open();
cmd.ExecuteNonQuery();
}
这篇关于请帮我解决这个代码我收到错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
