在服务器上运行时 [英] while running in server
本文介绍了在服务器上运行时的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
SqlConnection con = new SqlConnection("server=.; user id=sa;password=sa123;database=EMPLOYEE_DETAILS");
string S="Select * from EMPLOYEE_DETAILS WHERE DEPTNO="+Session["D"];
SqlDataAdapter da = new SqlDataAdapter(S,con);
DataSet ds = new DataSet();
da.Fill(ds, "EMPLOYEE_DETAILS");//showing error here
GridView1.DataSource = ds.Tables[0];
GridView1.DataBind();
推荐答案
首先查看错误消息:它应该为您提供一个线索问题是什么我们不知道消息说的是什么,所以我们不能明确。
所以从明显的东西开始:
1 )会话是否包含存储在D下的任何内容?
2)如果是,它是什么?它的数据类型是什么?它有空格或其他特殊字符吗?
3)桌面名称是否正确?
它可能是其中之一 - 但是我们无法分辨:你有一个调试器,所以你可以。
Start by looking at the error message: it should give you a clue as to what the problem is. We don't know what the message says, so we can't be explicit.
So start with the obvious stuff:
1) Does the Session contain anything stored under "D"?
2) If it does, what is it? What datatype is it? Does it have any spaces, or other special characters?
3) Is the Table name correct?
It's probably one of those - but we can't tell: and you have a debugger so you can.
我想在Richard Deeming的重要评论中添加一些细节。
从一开始你的方法就错了。您永远不应该通过连接从UI获取的字符串来创建查询。相反,您需要使用参数化语句。请参阅: http://msdn.microsoft.com/en-us/library/ff648339.aspx [ ^ ]。
如果你这样做,你的应用程序完全容易受到众所周知的漏洞的攻击: SQL注入。用户可以在UI中编写任何内容,包括一些SQL片段。你明白了吗?具体方法如下: http://xkcd.com/327 [ ^ ]。
请查看我过去的答案:
EROR IN com.ExecuteNonQuery(); [ ^ ],
名称未显示在名称中? [ ^ ]。
-SA
I want to add some detail to the very important comment by Richard Deeming.
Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements. Please see: http://msdn.microsoft.com/en-us/library/ff648339.aspx[^].
If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327[^].
Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].
—SA
试试这个!...
Try This!...
SqlConnection con = new SqlConnection("server=.; user id=sa;password=sa123;database=EMPLOYEE_DETAILS");
string S="Select * from EMPLOYEE_DETAILS WHERE DEPTNO="+Session["D"];
SqlDataAdapter da = new SqlDataAdapter(S,con);
DataSet ds = new DataSet();
da.Fill(ds);
GridView1.DataSource = ds.Tables[0];
GridView1.DataBind();
尝试使用Store程序来避免sql注入攻击!...
Try to use Store procedures to avoid sql injection attacks!...
这篇关于在服务器上运行时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
