Hellow它我的编码，但数据不是数据库 [英] Hellow its my coding but data is not going in databse

问题描述

using System;
using System.Collections.Generic;
using System.Linq;
using System.Net.Mime;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Data;
using System.IO;

public partial class Register : System.Web.UI.Page
{
    DataBaseClass dbClass = new DataBaseClass();
    DataTable dt = new DataTable();
    string ToSaveImageName;
    string sImageFileExtension;
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected void ButtonMakeProfile_Click(object sender, EventArgs e)
    {
       // string chkUser = "Select * FROM [user] where Email='" + TextBoxEmail.Text + "'";
       // dt = dbClass.ConnectDataBaseReturnDT(chkUser);
      //  if (dt.Rows.Count > 0)
        {

        }
        //else
        {
            if (UploadUserPhoto.PostedFile != null)
            {
                string myMap = MapPath("~/").ToLower();
                Random r = new Random();
                int next = r.Next();
                string ImageName = UploadUserPhoto.PostedFile.FileName;
                // ToSaveImageName = DateTime.Now.ToString("yyyy-MM-ddTmm:hh:ss");
                //ToSaveImageName.Replace('-', '1');
                //ToSaveImageName.Replace(':', '2');  
                //Directory.CreateDirectory(myMap + ToSaveImageName);
                sImageFileExtension = ImageName.Substring(ImageName.LastIndexOf(".")).ToLower();
                if (sImageFileExtension == ".gif" || sImageFileExtension == ".png" || sImageFileExtension == ".jpg" || sImageFileExtension == ".jpeg" || sImageFileExtension == ".bmp")
                {
                    string ImageSaveURL = myMap + "UserImage/" + next + sImageFileExtension;
                    try
                    {
                        UploadUserPhoto.PostedFile.SaveAs(ImageSaveURL);
                        string RegisterQuery = "INSERT INTO user (Email,Name,Designatin,Date,Aboutuser,ImageName) VALUES('" + TextBoxEmail.Text + "','" + TextBoxName.Text + "','" + TextBoxDesignation.Text + "','" + TextBoxDate.Text + "','" + TextBoxAboutuser.Text + "','" + next + sImageFileExtension + "')";
                        dbClass.ConnectDataBaseToInsert(RegisterQuery);

                        Response.Redirect("new user.aspx");
                    }
                    catch (Exception ex)
                    {
                    }
                }
                else
                {
                }
            }
            else
            {
                ToSaveImageName = "No";
                sImageFileExtension = "Image";
            }

        }
    }
}

推荐答案

有这里需要做的两件重要的事情：

1）不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。改为使用参数化查询。

2）永远不要吞下异常。使用

There are two important things you need to do here:
1) Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
2) Never swallow exceptions. Using

catch (Exception ex)
{
}

只是毫无意义，因为它丢弃了有助于解决问题的所有信息，并且隐藏了用户存在的问题 - 所以就他而言，删除文件现在是安全的。 br />
始终保持最低限度的日志错误，并将其报告给您的用户对不起 - 我们在保存文件时遇到问题，请稍后再试



猜测（如果没有你丢弃的信息，那就是它的全部可能）你错误地将Designation输入为Designatin，并且SQL抱怨该列不存在。你知道的，如果你没有吞下这个例外...

Is just pointless as it throws away all the information which would help to to fix the problem, and hides the existence of the problem from the user - so as far as he is concerned it is now safe to delete the file.
Always at a bare minimum log errors, and report them to your user as "sorry - we had a problem saving your file, please try again later"

At a guess (and without the info you throw away that''s all it can be) you mistyped "Designation" as "Designatin" and SQL is complaining that the column does not exist. Which you would have known, if you hadn''t swallowed the exception...

这篇关于Hellow它我的编码，但数据不是数据库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！