数据没有插入sql数据库中 [英] data is not getting inserted in sql database
本文介绍了数据没有插入sql数据库中的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有注册webform,我已经在注册按钮上写了插入查询。
它工作正常。但我已经添加了文件上传用于图像上传和更改后。我的数据没有插入。请帮忙。
这是我的代码 -
i have signup webform and i have written insert query on signup button.
It was working correctly.But i have added fileupload for image uploading and after changing this.My data is not getting inserted.Please help.
Here is my code-
SqlConnection conn = new SqlConnection("Data Source=SNEHAL-PC\\SNEHAL1;Initial Catalog=TEMPRUJU;Integrated Security=True");
SqlCommand cmd;
cmd = new SqlCommand("insert into login(name,midname,surname,username,password,contact,dob,email,address,occupation,ltype,image) values('" + txtfirst.Text + "','" + txtmid.Text + "','" + txtsur.Text + "','" + txtname.Text + "','" + txtpass.Text + "','" + txtcontact.Text + "','" + txtdob.Text + "','" + txtemail.Text + "','" + txtaddr.Text + "','" + txtocc.Text + "','" + typeButtonList1.SelectedValue + "','"+image1.ImageUrl+"')", conn);
cmd.ExecuteNonQuery();
Response.Redirect("WebForm1.aspx");
protected void btn_upload_Click(object sender, EventArgs e)
{
lbl_test.Text = "";
if (fileimage1.HasFile)
{
FileUpload fileupload1 = fileimage1;
String v_folder = "imageupload/";
fileupload1.SaveAs(Server.MapPath(v_folder) + fileupload1.FileName);
image1.ImageUrl = v_folder + fileupload1.FileName;
String extension;
extension = Path.GetExtension(image1.ImageUrl);
if (extension == ".png" || extension == ".PNG" || extension == ".JPEG" || extension == ".jpeg" || extension == ".jpg" || extension == ".JPG" || extension == ".gif" || extension == ".GIF" || extension == ".bmp" || extension == ".BMP" || extension == ".TIF" || extension == ".tif" || extension == ".psd" || extension == ".PSD")
{
lbl_test.Text = "File uploaded successfully";
}
else
{
lbl_test.Text = "please upload Image file";
}
}
推荐答案
确保图像的数据类型为varchar或image为根据您的要求,在表中放置正确的数据类型
make sure that the datattype for image is varchar or image as per your requirement place the correct datatype in table
首先,停止这样做。
不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。特别是在网络环境中,我可以从世界的另一端销毁你的数据库...
然后,当用参数重新编码时,添加尝试...捕获该代码周围的块,并尽可能详细地报告或记录任何问题。在你这样做之前,我们无法告诉你如何修复它,因为我们和你一样黑暗 - 但你可以运行你的代码......所以当你这样做并得到一条错误信息时,它应该给出你有什么问题的线索......
First off, stop doing that.
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. Particularly in a web environment, where I could destroy your DB from the other side of the world...
Then, when it is re-coded with parameters, add a try...catch block around that code and report or log any problems with as much detail as you can. Until you do that, we can't tell you how to fix it, because we are as much in the dark as you are - but you can run your code...so when you do and get an error message, it should give you a clue as to what is wrong...
这篇关于数据没有插入sql数据库中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
