尝试验证时输入的字符串格式不正确 [英] Input string not in correct format when trying to validate

问题描述

我正在尝试验证我的网络表单。如果特定月份和员工的count为2，则会显示jquery消息。但我收到的输入字符串格式不正确。



我是asp.net的新手。你能指导我如何正确地写这个查询吗？

  string  query =  从WFHCO_COUNT中选择总和（计数），其中MONTH = + DropDownList3.SelectedValue.ToString （）+  和EMPNO = EMPNO; 
  int  counts = Convert.ToInt32（query）; 
 如果（计算>  =  2 ）
 {
 JQUERYDisplay.ShowAlertMessage（ 哎呀..你已经做了两个请求本月再次尝试下个月）; 
 clear（）; 
} 
 

解决方案

有几个错误：

 字符串 query =  选择总和（计数） ）来自WFHCO_COUNT，其中MONTH = + DropDownList3.SelectedValue.ToString（）+  和EMPNO = EMPNO ; 

不好;这会使您的代码对SQL注入攻击开放。您应该验证所选值是否有效，并从那里构造您的查询。这样：

  int 月; 
  if （！int.TryParse（DropDownList3.SelectedValue， out  month））{
  //  所选值不是有效整数 
 返回; 
} 
  string  query =  从WFHCO_COUNT中选择总和（计数），其中MONTH = @ month，EMPNO = @ empno; 
 使用（SqlConnection connection =  / *   Build你在这里的连接* / ）
 使用（SqlCommand cmd =  new  SqlCommand（查询，连接））{
 cmd.Parameters.AddWithValue（  @ month，月）; 
 cmd.Parameters.AddWithValue（  @ empno，EMPNO）; 
  int  count = cmd.ExecuteScalar（）; 
} 

如你所见：

- 我验证了所选的值是一个有效的整数（我们也可以验证如果用户只是在组合中键入了手工制作的值，那么这是一个有效的月份。

- 我使用了SqlConnection和SqlCommand对象。

- 我使用了参数化在执行之前查询和限定所述参数。

- 我执行查询并从中获取结果，而您只是尝试通过将查询转换为整数来获得结果。 '转换'类不是魔杖，事实上它很少需要也没用。

- 我使用使用块以便一次性对象当不再需要它们时，它们会被有效地处理掉。

嗯...

  string  query =  从WFHCO_COUNT中选择总和（计数），其中MONTH = + DropDownList3 .SelectedValue.ToString（）+  和EMPNO = EMPNO; 
  int  counts = Convert.ToInt32（query）; 

你期望以select开头的字符串是什么数字？生成？

单词不是数字，字符串不会自动查询数据库。

尝试：

 < span class =code-keyword> int 计数; 
 使用（SqlConnection con =  new  SqlConnection（ @  strConnect））
 {
 con.Open（）; 
 使用（SqlCommand com =  new  SqlCommand（  从WFHCO_COUNT中选择总和（计数），其中MONTH = + DropDownList3.SelectedValue.ToString（）+   和EMPNO = EMPNO，con））
 {
计数=（ int ）com.ExecuteScalar（）; 
} 
} 
 

但是......你应该使用参数化查询，WHERE子句的第二部分是无关紧要的！

I am trying to validate my webform. If count is 2 for the particular month and employee, a jquery message will show. But I am getting input string not in correct format.

I am new to asp.net. Can you please guide me how can i write this query correctly?

string query = "select sum(count) from WFHCO_COUNT where MONTH= " + DropDownList3.SelectedValue.ToString()+" and  EMPNO=EMPNO";
           int counts = Convert.ToInt32(query);
           if ( counts >= 2)
           {
               JQUERYDisplay.ShowAlertMessage("Oops.. You have already made two requests for this month. Try again Next Month");
               clear();
           }

解决方案

There are several mistakes:

string query = "select sum(count) from WFHCO_COUNT where MONTH= " + DropDownList3.SelectedValue.ToString()+" and  EMPNO=EMPNO";

is bad; this leaves your code opened to SQL injection attacks. You should validate that the value selected is a valid one, and construct your query from there. This way:

int month;
if (!int.TryParse(DropDownList3.SelectedValue, out month)) {
   // Selected value is not a valid integer
   return;
}
string query = "select sum(count) from WFHCO_COUNT where MONTH=@month and  EMPNO=@empno";
using (SqlConnection connection = /* Build your connection here */)
using (SqlCommand cmd = new SqlCommand(query, connection)) {
   cmd.Parameters.AddWithValue("@month", month);
   cmd.Parameters.AddWithValue("@empno", EMPNO);
   int count = cmd.ExecuteScalar();
}

As you can see:
- I validated that the selected value is a valid integer (we could also validate that it is a valid month), in case user just typed a hand-crafted value in the combo.
- I used SqlConnection and SqlCommand objects.
- I used a parameterized query, and qualified said parameters before executing.
- I execute the query and get a result from it, whereas you just tried to get the result by converting your query to an integer. 'Convert' class is not a magic wand, and in fact it is rarely needed nor useful.
- I used using blocks so that disposable objects are effectively disposed when they are not needed anymore.

Um...

string query = "select sum(count) from WFHCO_COUNT where MONTH= " + DropDownList3.SelectedValue.ToString()+" and  EMPNO=EMPNO";
           int counts = Convert.ToInt32(query);

And what number do you expect a string that starts with "select" to generate?
Words are not numbers, and strings do not automatically query databases.
Try:

int counts;
using (SqlConnection con = new SqlConnection(@"strConnect"))
     {
     con.Open();
     using (SqlCommand com = new SqlCommand("select sum(count) from WFHCO_COUNT where MONTH= " + DropDownList3.SelectedValue.ToString()+" and  EMPNO=EMPNO", con))
         {
         counts = (int) com.ExecuteScalar();
         }
     }

But...you should use a parameterised query, and the second part of your WHERE clause is irrelevant!

这篇关于尝试验证时输入的字符串格式不正确的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！