如何更新当前数据并将其插入数据库,然后使用一个按钮打印所有数据。 [英] How to update and insert current data into a database then print all with one button.
本文介绍了如何更新当前数据并将其插入数据库,然后使用一个按钮打印所有数据。的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有三个网页表单。其中两个保存用户输入的数据。他们工作正常。第三个Web表单上有一个Submit按钮,它将从一个数据库获取数据并将其插入另一个on on按钮单击。相同的按钮也将使用CR打印报告。我的SQL语句不适用于第三个用于插入的Web表单。我做错了什么?
这是我的代码:
I have a three web forms. Two of them saves data that the user enters. They work fine. The third web form has a Submit button on it that will take the data from one database and insert it into another on on button click. The same button will also print a report using CR. My SQL statement is not working for the third web form for inserting. What did I do wrong?
Here is my code:
protected void ButtonSubmit2_Click(object sender, EventArgs e)
{
SqlConnection con2 = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
con2.Open();
SqlCommand scmd3 = new SqlCommand("Select User_ID, FT_UNDERGR, DATE, FT_GRAD, FTE_UNDERG, FTE_GRAD, NON_CREDIT, TOTAL_FTE, FCFTUHC, FCFTPBHC, FCPTUHC, FCPTPBHC, NCHC, UnderG12, Postb9, Total123b4b,INST_ID, FT_UNDERGR, DATE, FT_GRAD, FTE_UNDERG, FTE_GRAD, NON_CREDIT, TOTAL_FTE, FCFTUHC, FCFTPBHC, FCPTUHC, FCPTPBHC, NCHC, UnderG12, Postb9, Total123b4b, FTEYR, THCAS, FTE40, HC50, FTE4050 from Table2 where User_ID = '" + TextBoxUser_ID.Text + "'", con2);
SqlCommand cmd = new SqlCommand("Insert into Table1 (User_ID, FT_UNDERGR, DATE, FT_GRAD, FTE_UNDERG, FTE_GRAD, NON_CREDIT, TOTAL_FTE, FCFTUHC, FCFTPBHC, FCPTUHC, FCPTPBHC, NCHC, UnderG12, Postb9, Total123b4b, FTEYR, THCAS, FTE40, HC50, FTE4050);", con2);
con2.Close();
推荐答案
第一个问题:您的选择命令(scmd3
)正在使用字符串连接来插入用户ID,使其容易受到 SQL注入 [ ^ ]。
第二个问题:你有两个独立的命令,彼此一无所知。从scmd3
返回的数据不会神奇地将自身转移到中的
。INSERT
语句cmd
第三个问题:你永远不会执行任何一个命令。
解决方案很简单:将两个命令合并为一个INSERT
语句:
First problem: Your select command (scmd3
) is using string concatenation to insert the user ID, leaving it vulnerable to SQL Injection[^].
Second problem: You have two separate commands which know nothing about each other. The data returned fromscmd3
isn't going to magically transfer itself to theINSERT
statement incmd
.
Third problem: You never execute either command.
The solution is simple: combine the two commands into a singleINSERT
statement:
const string commandText = @"INSERT INTO Table1
(
User_ID,
FT_UNDERGR,
DATE,
FT_GRAD,
FTE_UNDERG,
FTE_GRAD,
NON_CREDIT,
TOTAL_FTE,
FCFTUHC,
FCFTPBHC,
FCPTUHC,
FCPTPBHC,
NCHC,
UnderG12,
Postb9,
Total123b4b,
FTEYR,
THCAS,
FTE40,
HC50,
FTE4050
)
SELECT
User_ID,
FT_UNDERGR,
DATE,
FT_GRAD,
FTE_UNDERG,
FTE_GRAD,
NON_CREDIT,
TOTAL_FTE,
FCFTUHC,
FCFTPBHC,
FCPTUHC,
FCPTPBHC,
NCHC,
UnderG12,
Postb9,
Total123b4b,
FTEYR,
THCAS,
FTE40,
HC50,
FTE4050
FROM
Table2
WHERE
User_ID = @UserID
;";
using (SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString))
using (SqlCommand cmd = new SqlCommand(commandText, con))
{
cmd.Parameters.AddWithValue("@UserID", TextBoxUser_ID.Text);
con.Open();
cmd.ExecuteNonQuery();
}
这篇关于如何更新当前数据并将其插入数据库,然后使用一个按钮打印所有数据。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文