使数据插入数据库而不是returni [英] make the data insert into the database instead of returni
本文介绍了使数据插入数据库而不是returni的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
这是网络方法:
this is the web method:
[WebMethod]
public string Register(string Email, string Name, string Surname, string Password, string SecurityQuestion, string SecurityAnswer)
{
string result = "Invalid";
try
{
conn = new OleDbConnection(connString);
conn.Open();
OleDbCommand cmd = conn.CreateCommand();
cmd.CommandText = "SELECT * FROM [RegisteredUsers] WHERE Email = '" + Email + "'";
OleDbDataReader dbreader = cmd.ExecuteReader();
if (dbreader.HasRows)
{
result = "exists";
}
else
{
cmd = conn.CreateCommand();
cmd.CommandText = "INSERT INTO [RegisteredUsers] WHERE (Email, Name, Surname,Password,SecurityQuestion,SecurityAnswer) VALUES ('" + Email + "', '" + Name+ "', '" + Surname + "', '" + Password + "','"+ SecurityQuestion +"','"+ SecurityAnswer +"')";
int a = cmd.ExecuteNonQuery();
if (a > 0)
{
result = "valid";
}
}
}
catch (Exception)
{
result = "error";
}
return result;
}
}
点击按钮
the button click
protected void BtnSubmit_Click(object sender, EventArgs e)
{
string result = s.Register(txtEmail.Text, txtName.Text, txtSurname.Text, txtPassword.Text, drpQuestions.Text, txtAnswer.Text);
if (result == "True")
{
lblError2.Text = ("Successfully registered");
}
else
{
lblError2.Text = ("Unsuccessful");
}
}
推荐答案
首先做两件事:
1)不要连接字符串以构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。
2)停止吞咽异常并记录它们,以便您了解错误实际是什么。只需使用一个catch块来设置错误,因为返回字符串会抛弃您需要的所有信息,以便首先找出错误发生的原因!
所以修复查询 - 这是绝对的优先级,除非你喜欢通过输入表单来删除数据库 - 并更改catch块:
Start by doing two things:
1) Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
2) Stop swallowing exceptions and log them so that you have some idea of what the error actually was. Just using a catch block to set "error" as the return string throws away all the information you needed to have to work out why the error occurred in the first place!
So fix the queries - that is an absolute priority, unless you like people deleting your database by typing in your form - and change the catch block:
catch (Exception ex)
{
result = "error";
Debug.WriteLine(ex.Message);
}然后在Debug.WriteLine行上放置一个断点,看看调试器点击它时会得到什么。
Then put a breakpoint on the Debug.WriteLine line and see what you get when the debugger hits it.
这篇关于使数据插入数据库而不是returni的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
