请解决这个问题 [英] Please solve this problem

问题描述

Hello Everyone，

我编写了一个代码，用于在数据库中插入动态生成的文本框值。我想检查一次动态生成的所有文本框。如果没有文本框为空，则只应将文本框值插入数据库。但在我的代码中，如果其中一个文本框具有序列号值，则插入文本框值。如何解决这个问题。

我的代码是

Hello Everyone,
I have written a code to insert the dynamically generated textbox value in database. I want to check all the textbox generated dynamically at a time. If no textbox empty then only it should insert textbox value into database. But in my code it is inserting the textbox value if one of the textbox has serial number value. How to resolve this kindly help.
My code is

if (txtQuantity.Text != "")
       {
           try
           {
               for (int i = 0; i < quantity; i++)
               {

                   if (Request.Form["Textbox"+i.ToString()].Trim()== "")
                   {

                     Page.ClientScript.RegisterStartupScript(this.GetType(), "myalert", "alert('Enter Serial Number');",  true);

                     //Button2.Attributes.Add("onClick", "return false;");
                   }

                   else

                   {
                      // Label17.Visible = false;
                       con.Open();
                       string qryInsertProduct = "insert into Product_Details(GatePassNo,ClientID,Product_name,SerialNo,Status,CheckIN_Date ,Customer_Name, Customer_location, System_Date, [GatePass Status],State, City,S) values('" + GatePassNo + "','" + clientID + "','" + productName + "','" + Request.Form["Textbox" + i.ToString()] + "','" + status + "','" + TextBox1.Text + "','" + ddlCName.SelectedItem.Value + "','" + ddlCLocation.SelectedItem.Value + "','" + Label11.Text + "', 'Open','" + DropDownList1.SelectedItem.Value + "','" + DropDownList2.SelectedItem.Value + "','0')";
                       SqlCommand comInsertProduct = new SqlCommand(qryInsertProduct, con);
                       comInsertProduct.ExecuteNonQuery();
                       con.Close();
                       gdvProducts.Visible = true;
                       PopulateGridView();
                   }

               }
               }


           catch (Exception ex)
           {

           }

           finally
           {
               if (con.State == ConnectionState.Open)
               {
                   con.Close();

               }
           }
       }

推荐答案

你有更大的比你想象的问题...



不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。请改用参数化查询。特别是在基于网络的应用程序中，我可以从世界的另一端删除你的整个数据库！



但是...问题你 < b>有 注意到：简单：你只检查一个文本框。如果它不是空的，则插入。这意味着如果你有四个文本框，你最多插入四次...



首先在一个循环中检查它们，并建立一个项目列表插入。

如果它们全部通过，则执行一次插入操作。如果有任何失败，请报告错误并退出。

You have bigger problems than you think...

Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. Particularly in a web based application, where I could delete your whole database from the other side of the world!

But...to the problem you have noticed: Simple: You only check one textbox. If it's not empty you insert. Which means that if you have four textboxes, you insert up to four times...

Check them first, in one loop, and build up a list of items to insert.
If they all pass, then do one single insert operation. If any fail, report the error and exit.

这篇关于请解决这个问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！