你能帮助更新ASP.NET C中的用户配置文件吗？ [英] Can you help with updating user profile in ASP.NET C#

问题描述

我能够读取我的用户数据并将数据显示在文本框中，供用户编辑。我有5个文本框，无法编辑以保护数据。

当我调试程序时，没有显示错误。代码读取数据，然后在按钮更新时单击程序运行其余代码并显示响应错误应该已经更新？我编写了我的数据库，以便我可以通过在空插槽中插入*****来获得空值。

我无法看到错误的位置。可以请一些人帮忙。



亲切的问候

Neville

这是我的代码。

I am able to read my user data and display the data into the text boxes ready for the user to edit. I have 5 text boxes that are none editable to protect the data.
When I debug the program , there are no errors showing. The code reads the data, then on button update click the program runs through the rest of the code and displays the responce error "should have updated by now"?. I have coded my DB so that I am able to have null values by inserting ***** in the empty slots.
I cant see where the error is . Could some one please help.

Kind Regards
Neville
Here is my code.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;
using System.Data;

public partial class DMembersOnly : System.Web.UI.Page
{
    
    protected void Page_Load(object sender, EventArgs e)
    {
      
        // creates a new session and displays the logged in user

        lblWelcome.Text = "";
        lblWelcome.Text += Session["New"].ToString();
            
                     
            // find their details by running an sql query
            SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["CarValet"].ConnectionString);
            con.Open();
            string checkUser = "select * from Registered_Customers where Cust_ID='" + Session["Cust_ID"] + "'";
            SqlCommand cmd = new SqlCommand(checkUser, con);
            SqlDataReader Reader = cmd.ExecuteReader();
            //populate the textfields from the query results
            while (Reader.Read())
            {


                txtFirst_Name.Text = Reader.GetString(1);
                txtSurname.Text = Reader.GetString(2);
                txtAddress.Text = Reader.GetString(3);
                txtTown_City.Text = Reader.GetString(4);
                txtPost_Code.Text = Reader.GetString(5);
                txtPhone.Text = Reader.GetString(6);
                txtEmail.Text = Reader.GetString(7);
                //COVERTING THE DATE TIME WITHOUT THE TIME
                txtRegistration_Date.Text = Convert.ToDateTime(Reader["Registration_Date"]).ToString("dd/MM/yyyy");
                txtCar_Reg1.Text = Reader.GetString(9);
                txtCar_Reg2.Text = Reader.GetString(10);
                txtCar_Reg3.Text = Reader.GetString(11);
                txtUsername.Text = Reader.GetString(12);
            }
        
       
    } //of page load


   protected void btnUpdate_Click(object sender, EventArgs e)
    {

        SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["CarValet"].ConnectionString);
        SqlCommand cmd = con.CreateCommand();
        con.Open();
       
       string UpdateQuery = "Update Registered_Customers set Address='" + txtAddress.Text + "',Town_City='" + txtTown_City.Text + "',Post_Code='" + txtPost_Code.Text + "',Phone='" + txtPhone.Text + "',Car_Reg1='" + txtCar_Reg1.Text + "',Car_Reg2='" + txtCar_Reg2.Text + "',Car_Reg3='" + txtCar_Reg3.Text + "' where Cust_ID='" + Session["Cust_ID"] + "'";
      
       SqlCommand cmd3 = new SqlCommand(UpdateQuery, con);
       cmd3.CommandType = CommandType.Text;
       con.Close();
       
        
        
        Label1.Text = "Profile Successfully updated";
        Label1.ForeColor = System.Drawing.Color.Green;
       
        Response.Write("should have updated by now");
    }

   protected void btnLogout_Click(object sender, EventArgs e)
   {
       Session["New"] = null;
       Response.Redirect("Login.aspx");
   }

 protected void LinkButton1_Click(object sender, EventArgs e)
    {
        Response.Redirect("Login.aspx");
    }
}

我的尝试：



我已经尝试了很多关于更新的教程，我想我对于哪种方式最适合我的程序感到很困惑。

What I have tried:

I have tried so many tutorials on updating, i think i am getting quite confused as to which way is best for my program.

推荐答案

首先修复 SQL注入 [ ^ ]漏洞您的代码。



然后，更新您的 Page_Load 方法，以便只在<$ c $时加载数据c> IsPostBack 是 false 。目前，您在每次加载时绑定数据，这会覆盖用户输入的值。



最后，您需要实际执行 UPDATE 查询。目前，您的代码创建了两个 SqlCommand 对象，但从不执行其中任何一个。



您还应该使用块在中包装所有实现 IDisposable 的对象。



Start by fixing the SQL Injection[^] vulnerability in your code.

Then, update your Page_Load method so that it only loads the data if IsPostBack is false. Currently, you're binding the data on every load, which overwrites the values that the user has entered.

Finally, you need to actually execute the UPDATE query. At the moment, your code creates two SqlCommand objects, but never executes either of them.

You should also wrap all objects that implement IDisposable in a using block.

protected void Page_Load(object sender, EventArgs e)
{
    if (!Page.IsPostBack)
    {
        lblWelcome.Text = Convert.ToString(Session["New"]);
        
        using (SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["CarValet"].ConnectionString))
        using (SqlCommand cmd = new SqlCommand("select * from Registered_Customers where Cust_ID = @Cust_ID", con))
        {
            cmd.Parameters.AddWithValue("@Cust_ID", Session["Cust_ID"]);
            cmd.CommandType = CommandType.Text;
            
            con.Open();
            using (SqlDataReader reader = cmd.ExecteReader(CommandBehavior.CloseConnection | CommandBehavior.SingleResult | CommandBehavior.SingleRow))
            {
                if (reader.Read())
                {
                    txtFirst_Name.Text = reader.GetString(1);
                    txtSurname.Text = reader.GetString(2);
                    txtAddress.Text = reader.GetString(3);
                    txtTown_City.Text = reader.GetString(4);
                    txtPost_Code.Text = reader.GetString(5);
                    txtPhone.Text = reader.GetString(6);
                    txtEmail.Text = reader.GetString(7);
                    txtRegistration_Date.Text = Convert.ToDateTime(reader["Registration_Date"]).ToString("dd/MM/yyyy");
                    txtCar_Reg1.Text = reader.GetString(9);
                    txtCar_Reg2.Text = reader.GetString(10);
                    txtCar_Reg3.Text = reader.GetString(11);
                    txtUsername.Text = reader.GetString(12);
                }
            }
        }
    }
}

protected void btnUpdate_Click(object sender, EventArgs e)
{
    using (SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["CarValet"].ConnectionString))
    using (SqlCommand cmd = new SqlCommand("Update Registered_Customers set Address = @Address, Town_City = @Town_City, Post_Code = @Post_Code, Phone = @Phone, Car_Reg1 = @Car_Reg1, Car_Reg2 = @Car_Reg2, Car_Reg3 = @Car_Reg3 where Cust_ID = @Cust_ID", con))
    {
        cmd.Parameters.AddWithValue("@Address", txtAddress.Text);
        cmd.Parameters.AddWithValue("@Town_City", txtTown_City.Text);
        cmd.Parameters.AddWithValue("@Post_Code", txtPost_Code.Text);
        cmd.Parameters.AddWithValue("@Phone", txtPhone.Text);
        cmd.Parameters.AddWithValue("@Car_Reg1", txtCar_Reg1.Text);
        cmd.Parameters.AddWithValue("@Car_Reg2", txtCar_Reg2.Text);
        cmd.Parameters.AddWithValue("@Car_Reg3", txtCar_Reg3.Text);
        cmd.Parameters.AddWithValue("@Cust_ID", Session["Cust_ID"]);
        cmd.CommandType = CommandType.Text;
        
        con.Open();
        cmd.ExecuteNonQuery();
    }
    
    Label1.Text = "Profile Successfully updated";
    Label1.ForeColor = System.Drawing.Color.Green;
}

---

你想知道关于SQL注入的一切（但不敢问）特洛伊亨特 [ ^ ]

如何在没有技术术语的情况下解释SQL注入？ |信息安全堆栈交换 [ ^ ]

查询参数化备忘单| OWASP [ ^ ]

---

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

这篇关于你能帮助更新ASP.NET C中的用户配置文件吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！