plz更正波纹管鳕鱼从asp.net表格输入数据到数据库表..... [英] plz correct the bellow cod for entering datas from a asp.net form to database table.....
本文介绍了plz更正波纹管鳕鱼从asp.net表格输入数据到数据库表.....的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;
public partial class user_onlinepatientregistration : System.Web.UI.Page
{
Class1 ob = new Class1();
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
bindcountry();
// clear();
}
}
void clear()
{
bindcountry();
bind_state();
bind_city();
pn.Text = "";
age.Text = "";
pq.Text = "";
pno.Text = "";
email.Text = "";
add.Text = "";
}
public void bindcountry()
{
ob.fetch("select * from admin_country order by countryid");
drdcon.Items.Clear();
drdcon.DataSource = ob.ds.Tables[0];
drdcon.DataTextField = "countryname";
drdcon.DataBind();
drdcon.Items.Insert(0, "select");
}
protected void btnsubmit_Click(object sender, EventArgs e)
{
if (pn.Text.Trim() == "")
{
lblmsgpn.Text = "name should not blank";
pn.Focus();
return;
}
if (pq.Text.Trim() == "")
{
lblmsgpq.Text = "patient query should not be blank";
pq.Focus();
return;
}
if (email.Text.Trim() == "")
{
lblmsgemail.Text = "Email Id should not be blank";
email.Focus();
return;
}
if (pno.Text.Trim() == "")
{
lblmsgpno.Text = "Mobile should not be blank";
pno.Focus();
return;
}
if (drdcon.SelectedIndex == 0)
{
lblmsgcon.Text = "Country name most be selected";
drdcon.Focus();
return;
}
if (drdst.SelectedIndex == 0)
{
lblmsgst.Text = "State name most be selected";
drdst.Focus();
return;
}
if (drdge.SelectedIndex == 0)
{
lblmsgage.Text = "Security question must be selected";
drdge.Focus();
return;
}
if (drddept.SelectedIndex == 0)
{
lblmsgdept.Text = "Security question must be selected";
drddept.Focus();
return;
}
if (drddoctor.Text.Trim() == "")
{
lblmsgdr.Text = "Answer should not be blank";
drddoctor.Focus();
return;
}
ob.fetch("select Email from onlinepatient_reg where Email='" + email.Text + "'");
if (ob.ds.Tables[0].Rows.Count > 0)
{
lblmsgemail.Text = "Already Exists";
email.Text = "";
email.Focus();
return;
}
else
{
if (ob.dml_statment("insert into onlinepatient_reg values('" + pn.Text.Trim() + "','" + drdge.Text.Trim() + "','" + age.Text.Trim() + "','" + pq.Text.Trim() + "';'" + drddept.Text.Trim() + "','" + drddoctor.Text.Trim() + "','" + pno.Text.Trim() + "','" + email.Text.Trim() + "','" + add.Text.Trim() + "','" + drdcon.SelectedItem.Text + "', '" + drdst.SelectedItem.Text + "','" + drdcit.SelectedItem.Text + "','" + "')") > 0)
{
Response.Write("<script LANGUAGE='JavaScript'>alert('Data Submitted Sucessfully')</script>");
clear();
}
}
}
public void bind_state()
{
ob.fetch("select * from admin_state where country='" + drdcon.SelectedItem.Text + "'");
drdst.Items.Clear();
drdst.DataSource = ob.ds.Tables[0];
drdst.DataTextField = "statename";
drdst.DataBind();
drdst.Items.Insert(0, "select");
}
protected void drdcon_SelectedIndexChanged(object sender, EventArgs e)
{
bind_state();
}
public void bind_city()
{
ob.fetch("select * from admin_city where state='" + drdst.SelectedItem.Text + "'");
drdcit.Items.Clear();
drdcit.DataSource = ob.ds.Tables[0];
drdcit.DataTextField = "cityname";
drdcit.DataBind();
drdcit.Items.Insert(0, "select");
}
protected void drdst_SelectedIndexChanged(object sender, EventArgs e)
{
bind_city();
}
protected void Button2_Click(object sender, EventArgs e)
{
Response.Write("REGISTRATION SUCCESSFUL");
}
protected void Button3_Click(object sender, EventArgs e)
{
clear();
drdcit.SelectedIndex = 0;
email.Focus();
}
}
推荐答案
首先了解SQL注入及其危险,然后如何避免它 - 例如来自 http://www.dotnetperls.com/sqlparameter [ ^ ]
这将提示你重写代码行当前
Firstly learn about SQL Injection and it's dangers, then how to avoid it - e.g. from http://www.dotnetperls.com/sqlparameter[^]
That is going to prompt you to rewrite the line of code which is currently
if (ob.dml_statment("insert into onlinepatient_reg values('" + pn.Text.Trim() + "','" + drdge.Text.Trim() + "','" + age.Text.Trim() + "','" + pq.Text.Trim() + "';'" + drddept.Text.Trim() + "','" + drddoctor.Text.Trim() + "','" + pno.Text.Trim() + "','" + email.Text.Trim() + "','" + add.Text.Trim() + "','" + drdcon.SelectedItem.Text + "', '" + drdst.SelectedItem.Text + "','" + drdcit.SelectedItem.Text + "','" + "')") > 0)
当你这样做时,你会发现一个分号; 这里没有分号,在值列表的末尾看似无关的字符,'+'
如果您在 try-catch 块中附上了写入数据库的尝试,那么您可能已经能够捕获导致的SQL错误。请参阅 http://www.dotnetperls.com/catch [ ^ ]
When you have done that you will spot a semi-colon ; where no semi-colon should be, and what appears to be extraneous characters at the end of the values list ,'" + "'
If you had enclosed the attempt to write to the database in a try-catch block you may have been able to capture the SQL error that resulted. See http://www.dotnetperls.com/catch[^]
这篇关于plz更正波纹管鳕鱼从asp.net表格输入数据到数据库表.....的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
