为什么SqlReader的Read()ts不起作用 [英] why SqlReader of Read() ts not working
本文介绍了为什么SqlReader的Read()ts不起作用的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
大家好,
问题:Read()的SqlReader不工作
用户操作:
*在文本框中输入他们的ID并单击按钮
程序操作:
*选择他们的名字来自数据库的给定ID值
*然后用HI打印他们的名字! RichTextBox或文本框中的消息
错误列表:
*无错误
这是我的代码:
Hi everyone,
Problem: SqlReader of Read() not working
User Action:
* enter their ID in a textbox and click a button
Program Action:
* Select their name from database by given ID value
* Then Print their name with HI! Message in RichTextBox or in Textbox
Error List:
* No Error
Here is my code:
private void swipe_button_Click(object sender, EventArgs e)
{
String ID_givenbyUSER = IDtxtBox.Text;
SqlConnection sqlConn = null;
sqlConn = new SqlConnection("Data Source=HOME-PC\\SQLEXPRESS;Initial Catalog=ABC_SchoolDB;Integrated Security=True");
sqlConn.Open();
SqlCommand cmd = new SqlCommand("select Student_Name from dbo.Sheet@Attendance where Serial_Id=" + " ' " + ID_givenbyUSER + " ' ", sqlConn);
SqlDataReader sqlReader = cmd.ExecuteReader();
richTxtBox.Clear();
richTxtBox.AppendText("Hi buddy "); //This line works
while (sqlReader.Read())
{
richTxtBox.AppendText("Hi buddy "); //But,Its not work
pwdbox.Text = (sqlReader["Student_Name"].ToString()); //It also not work
}
if (sqlConn != null)
{
sqlConn.Close();
sqlConn = null;
}
}
}
推荐答案
传递给SQL Server的SQL语句是否有效?也就是说,如果你将它复制到SQL窗口中它会运行吗?
cmd.ExecuteReader()调用会抛出异常吗?
这段代码中有一件事情非常危险。构造SQL命令的方式是对称为SQL注入的黑客开放。键入文本框的任何内容都将传递给SQL。黑客使用这样的编码缺陷来访问他们不应该访问的东西。您需要了解防止此攻击的参数化查询。
Is the SQL statement passed to SQL Server valid? That is, does it run if you copy it into a SQL window?
Does the cmd.ExecuteReader() call throw an exception?
There is one thing in this code that stands out as very dangerous. The way you construct the SQL command is open to a hack called SQL Injection. Anything typed into the text box will be passed to SQL. Hackers use coding defects like this to get access to stuff they shouldn't. You need to learn about parameterized queries that prevent this attack.
您报告没有错误,并且代码执行块内的所有操作。这意味着Read返回false。这意味着您指定的查询中没有记录。也就是说,这本身并不是代码问题。
使用确切的输入查询并在查询分析器中运行它。我也不确定那个表名。将其括在括号中(例如dbo。[MyTableName])。如果您的排序规则区分大小写,则您的输入可能需要与数据库中的字段完全匹配。
P.S.您的代码中存在SQL注入漏洞。您应该在命令中使用参数。
You reported that there is no error, and the code does everything within the block. That means Read is returning false. That means there are no records in the query you specified. That is, it's not a code problem per se.
Take your query with the exact input and run it in Query Analyzer. I'm really not sure about that table name either. Enclose it in brackets (e.g. dbo.[MyTableName]). Your input may need to match exactly to the field in the database if you have a collation that is case-sensitive.
P.S. You have a SQL injection vulnerability in your code. You should use parameters with your command.
问题在于:
SqlCommand cmd = new SqlCommand(从dbo.Sheet@Attendance中选择Student_Name,其中Serial_Id = +'+ ID_givenbyUSER +',sqlConn);
相反,请按照以下步骤操作:
SqlCommand cmd = new SqlCommand(" ;从dbo.Sheet@Attendance中选择Student_Name,其中Serial_Id ='" + ID_givenbyUSER +"'",sqlConn);
Problem is here:
SqlCommand cmd = new SqlCommand("select Student_Name from dbo.Sheet@Attendance where Serial_Id=" + " ' " + ID_givenbyUSER + " ' ", sqlConn);
Instead, follow this:
SqlCommand cmd = new SqlCommand("select Student_Name from dbo.Sheet@Attendance where Serial_Id=' " + ID_givenbyUSER + " ' ", sqlConn);
这篇关于为什么SqlReader的Read()ts不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
