语法错误ini UPDATE语句.... [英] Syntax error ini UPDATE statement....

问题描述

protected void Button1_Click(object sender, EventArgs e)
    {
        string a, b, c, d, f, g;
        a = DropDownList2.SelectedItem.Text;
        b = DropDownList3.SelectedItem.Text;
        c = DropDownList4.SelectedItem.Text;
        d = DropDownList5.SelectedItem.Text;
        f = DropDownList6.SelectedItem.Text;
        g = DropDownList7.SelectedItem.Text;


        try
        {
            OleDbConnection con2 = new OleDbConnection("Provider=Microsoft.ACE.OLEDB.12.0;Data Source=|DataDirectory|\\db_attendance.accdb");
            con2.Open();
            string upd12 = "update tbl_assigntask set class='" + a + "',subject='" + b + "',teacher='" + c + "',time='" + d + "',days='" + f+ "',subtype='" + g + "',totalstud=" + TextBox2.Text + ",batchqty=" + TextBox3.Text + ", batchname='" + TextBox4.Text + "' where ID=" + TextBox1.Text + "";
            OleDbCommand cmd12 = new OleDbCommand(upd12, con2);
            cmd12.ExecuteNonQuery();
            string ff2 = "Record Updated Sucessfully";

            ClientScript.RegisterStartupScript(this.GetType(), "myalert", "alert('" + ff2 + "');", true);
            con2.Close();
        }

        catch (Exception ex)
        {
            MessageBox.Show(ex.Message.ToString());
        }
    }

推荐答案

您能否在TextBox2.text字段中测试您的代码？



'; drop table tbl_assignTask; - '



我认为你现在可以解决这个问题...



编辑：和Ravichova是对的，你错过了一些'

Could you please test youre code with the folowing in the TextBox2.text field?

'; Drop table tbl_assignTask;--'

I think that wil fix this problem you are having for now...

edit: and Ravichova is right, youre missing a few '

string upd12 = "update tbl_assigntask set class='" + a + "',subject='" + b + "',teacher='" + c + "',time='" + d + "',days='" + f+ "',subtype='" + g + "',totalstud=" + TextBox2.Text + ",batchqty=" + TextBox3.Text + ", batchname='" + TextBox4.Text + "' where ID=" + TextBox1.Text + ""

;



尝试在服务器工作室中运行此查询以检查它是否正常工作。

您可能会推送一些数字字符串反之亦然。

;

Try running this query in server studio to check if it is working.
There could be some numbers where you are pushing strings or vice versa.

OP终于确认了

Quote：

所有列的数据类型都是文本。

所有变量值都是text

data type for all columns is text.
all variable value is text

，变量包含以下

update tbl_assigntask set class='First',subject='c',teacher='JN',time='2:30:00 PM',days='Monday',subtype='Practicle',totalstud=50,batchqty=15, batchname='Batch1, ' where ID=65

由于所有列都是text，因此传递的所有值都应该用单引号括起来，因此代码需要更改为

As all of the columns are "text" then all of the values passed should be surrounded by single quotes so the code needs to change to

string upd12 = "update tbl_assigntask set class='" + a + "',subject='" + b + "',teacher='" + c + "',time='" + d + "',days='" + f+ "',subtype='" + g + "',totalstud='" + TextBox2.Text + "',batchqty='" + TextBox3.Text + "', batchname='" + TextBox4.Text + "' where ID='" + TextBox1.Text + "'"

这种变化很微妙，所以要做到清除列传入的值 totalstud ， batchqty 和 ID 需要被单引号包围...这就是ravikhoda昨天在评论中所说的！



如果您使用了参数化查询 [ ^ ]。它们不仅有助于防止SQL注入（解决方案1中的woudwijk有趣地证明了这一点），而且所有关于单引号，列类型等的业务都会为您处理 - 我强烈建议您阅读它们

The change is subtle, so to be clear the values passed in for columns totalstud, batchqty and ID need to be surrounded by single quotes... which is what ravikhoda said in a comment yesterday!

This problem would not have arisen if you had used Parameterized Queries[^]. Not only do they help prevent SQL Injection (so amusingly demonstrated by woudwijk in Solution 1) but all of that business with single quotes, column types etc is taken care of for you - I strong advise you to read up on them

这篇关于语法错误ini UPDATE语句....的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！