尝试验证时输入的字符串格式不正确 [英] Input string not in correct format when trying to validate
问题描述
我正在尝试验证我的网络表单。如果特定月份和员工的count为2,则会显示jquery消息。但我收到的输入字符串格式不正确。
我是asp.net的新手。你能指导我如何正确地写这个查询吗?
string query = 从WFHCO_COUNT中选择总和(计数),其中MONTH = + DropDownList3.SelectedValue.ToString ()+ 和EMPNO = EMPNO;
int counts = Convert.ToInt32(query);
如果(计算> = 2 )
{
JQUERYDisplay.ShowAlertMessage( 哎呀..你已经做了两个请求本月再次尝试下个月);
clear();
}
有几个错误:
字符串 query = 选择总和(计数) )来自WFHCO_COUNT,其中MONTH = + DropDownList3.SelectedValue.ToString()+ 和EMPNO = EMPNO ;
不好;这会使您的代码对SQL注入攻击开放。您应该验证所选值是否有效,并从那里构造您的查询。这样:
int 月;
if (!int.TryParse(DropDownList3.SelectedValue, out month)){
// 所选值不是有效整数
返回跨度>;
}
string query = 从WFHCO_COUNT中选择总和(计数),其中MONTH = @ month,EMPNO = @ empno;
使用(SqlConnection connection = / * Build你在这里的连接* / )
使用(SqlCommand cmd = new SqlCommand(查询,连接)){
cmd.Parameters.AddWithValue( @ month,月);
cmd.Parameters.AddWithValue( @ empno,EMPNO);
int count = cmd.ExecuteScalar();
}
如你所见:
- 我验证了所选的值是一个有效的整数(我们也可以验证如果用户只是在组合中键入了手工制作的值,那么这是一个有效的月份。
- 我使用了SqlConnection和SqlCommand对象。
- 我使用了参数化在执行之前查询和限定所述参数。
- 我执行查询并从中获取结果,而您只是尝试通过将查询转换为整数来获得结果。 '转换'类不是魔杖,事实上它很少需要也没用。
- 我使用使用
块以便一次性对象当不再需要它们时,它们会被有效地处理掉。
嗯...
string query = 从WFHCO_COUNT中选择总和(计数),其中MONTH = + DropDownList3 .SelectedValue.ToString()+ 和EMPNO = EMPNO;
int counts = Convert.ToInt32(query);你期望以select开头的字符串是什么数字?生成?
单词不是数字,字符串不会自动查询数据库。
尝试:
< span class =code-keyword> int 计数;
使用(SqlConnection con = new SqlConnection( @ strConnect))
{
con.Open();
使用(SqlCommand com = new SqlCommand( 从WFHCO_COUNT中选择总和(计数),其中MONTH = + DropDownList3.SelectedValue.ToString()+ 和EMPNO = EMPNO,con))
{
计数=( int )com.ExecuteScalar();
}
}
但是......你应该使用参数化查询,WHERE子句的第二部分是无关紧要的!
I am trying to validate my webform. If count is 2 for the particular month and employee, a jquery message will show. But I am getting input string not in correct format.
I am new to asp.net. Can you please guide me how can i write this query correctly?
string query = "select sum(count) from WFHCO_COUNT where MONTH= " + DropDownList3.SelectedValue.ToString()+" and EMPNO=EMPNO";
int counts = Convert.ToInt32(query);
if ( counts >= 2)
{
JQUERYDisplay.ShowAlertMessage("Oops.. You have already made two requests for this month. Try again Next Month");
clear();
}
There are several mistakes:
string query = "select sum(count) from WFHCO_COUNT where MONTH= " + DropDownList3.SelectedValue.ToString()+" and EMPNO=EMPNO";
is bad; this leaves your code opened to SQL injection attacks. You should validate that the value selected is a valid one, and construct your query from there. This way:
int month; if (!int.TryParse(DropDownList3.SelectedValue, out month)) { // Selected value is not a valid integer return; } string query = "select sum(count) from WFHCO_COUNT where MONTH=@month and EMPNO=@empno"; using (SqlConnection connection = /* Build your connection here */) using (SqlCommand cmd = new SqlCommand(query, connection)) { cmd.Parameters.AddWithValue("@month", month); cmd.Parameters.AddWithValue("@empno", EMPNO); int count = cmd.ExecuteScalar(); }
As you can see:
- I validated that the selected value is a valid integer (we could also validate that it is a valid month), in case user just typed a hand-crafted value in the combo.
- I used SqlConnection and SqlCommand objects.
- I used a parameterized query, and qualified said parameters before executing.
- I execute the query and get a result from it, whereas you just tried to get the result by converting your query to an integer. 'Convert' class is not a magic wand, and in fact it is rarely needed nor useful.
- I usedusing
blocks so that disposable objects are effectively disposed when they are not needed anymore.
Um...
string query = "select sum(count) from WFHCO_COUNT where MONTH= " + DropDownList3.SelectedValue.ToString()+" and EMPNO=EMPNO"; int counts = Convert.ToInt32(query);And what number do you expect a string that starts with "select" to generate?
Words are not numbers, and strings do not automatically query databases.
Try:
int counts; using (SqlConnection con = new SqlConnection(@"strConnect")) { con.Open(); using (SqlCommand com = new SqlCommand("select sum(count) from WFHCO_COUNT where MONTH= " + DropDownList3.SelectedValue.ToString()+" and EMPNO=EMPNO", con)) { counts = (int) com.ExecuteScalar(); } }
But...you should use a parameterised query, and the second part of your WHERE clause is irrelevant!
这篇关于尝试验证时输入的字符串格式不正确的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!