我的应用程序中未提交更新 [英] the Update Not Commited in my Application

问题描述

我的应用程序有更新数据库表的updatepage.aspx ..问题是当我点击按钮它需要旧值..并且没有错误，这里是我的代码..希望从masters找到解决方案=] < br $> b $ b

my aplication has updatepage.aspx which updates database tables .. the problem is when i click the button it takes the old values .. and no error ,, here is my code .. hope to find solution from masters =]

protected void Button1_Click(object sender, EventArgs e)
   {
       prepareConnection();
       //Update News
       if (_CatID == "1")
       {

           if (FileUpload1.HasFile)
           {
               prepareConnection();
               string FileName = Path.GetFileName(FileUpload1.PostedFile.FileName);
               //save file to disk

               FileUpload1.SaveAs(Server.MapPath("~/ArticleImages/News/" + FileName));
               _command.CommandText = "UPDATE News SET Title=" + "N'" + titleTextBox.Text + "'" + "," + "Contect=" + "N'" + CKEditor1.Text + "'" + ",img=@FilePath WHERE ID='" + Convert.ToInt16(lblID.Text) + "';";
               _command.Parameters.AddWithValue("FilePath", "~/ArticleImages/News/" + FileName);
               try
               {
                   _command.ExecuteNonQuery();
               }
               catch (Exception ex)
               {
                   Response.Write(ex.Message);
               }

           }
           else
           {
               prepareConnection();
               _command.CommandText = "UPDATE News SET Title=" + "N'" + titleTextBox.Text + "'" + "," + "Contect=" + "N'" + CKEditor1.Text + "'" + " WHERE ID='" + Convert.ToInt16(lblID.Text) + "';";
               try
               {
                   _command.ExecuteNonQuery();
               }
               catch (Exception ex)
               {
                   Response.Write(ex.Message);
               }
           }

推荐答案

两件事：

1 ）不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。请改用参数化查询。特别是在基于Web的应用程序中，来自世界另一端的人可能会在没有努力的情况下破坏您的数据库...

2）检查您的页面加载事件：我很确定您不会检查 IsPostback [ ^ ]在设置页面之前 - 这意味着当用户单击该按钮时，您会在执行Button_Click事件之前覆盖其新值...

Two things:
1) Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. Particularly in a web based application, where someone from the other side of the world could destroy your database without even trying hard...
2) Check your Page Load event: I am pretty sure you don't check for IsPostback[^] ebfore setting up your page - which means when the user clicks the button, you overwrite his new values before the Button_Click event is actioned...

这篇关于我的应用程序中未提交更新的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！