在com.ExecuteNonQuery()中的EROR IN UPATE; [英] EROR IN UPATE in com.ExecuteNonQuery();
本文介绍了在com.ExecuteNonQuery()中的EROR IN UPATE;的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
在com.ExecuteNonQuery()中思考EROR IN UPATE flagR = false;
EROR IN UPATE in think in com.ExecuteNonQuery(); flagR = false;
public bool UpDebitor(string Name, string PostNumber, string PhoneNumber,Guid ID)
{
bool flagR = true;
string query = string.Format("UPDATE Debitors SET Name = '{0}' , PostNumber = '{1}', PhoneNumber '{2}' WHERE ID = '{3}'",
Name, PostNumber, (PhoneNumber != String.Empty) ? PhoneNumber : null,ID);
using (SqlConnection con = new SqlConnection(constring))
{
SqlCommand com = new SqlCommand(query, con);
try
{
con.Open();
com.ExecuteNonQuery();
flagR = false;
}
catch
{
}
return flagR;
}
}
推荐答案
1)你应该真正使用Paramaterized Queries。 />
2)PhoneNumber''{2}''应为PhoneNumber =''{2}''
1) You should really be using Paramaterized Queries.
2)PhoneNumber ''{2}''should bePhoneNumber = ''{2}''
此代码的主要缺陷是它使用字符串数据来组成查询;并且你永远不应该这样做,因为从安全的角度来看这太危险了。
数据可以来自任何地方,包括用户输入。在这种情况下,它可以是任何东西,包括......一段SQL代码。这个简单的想法解释了一个名为 SQL Injection 的众所周知的漏洞:
http: //en.wikipedia.org/wiki/SQL_injection [ ^ ]。
本文还解释了参数化语句的重要性。您需要在代码中使用它们。请参阅:
http://msdn.microsoft.com/en-us /library/ms254953.aspx [ ^ ]。
-SA
The major flaw of this code is that it is using string data to compose a query; and you should never ever do it because this is too dangerous from the security standpoint.
The data can come from anywhere, including user input. In this case, it can be anything, including… a fragment of SQL code. This simple idea explain a well-known exploit called SQL Injection:
http://en.wikipedia.org/wiki/SQL_injection[^].
This article also explain the importance of parameterized statements. You need to use them in your code. Please see:
http://msdn.microsoft.com/en-us/library/ms254953.aspx[^].
—SA
这篇关于在com.ExecuteNonQuery()中的EROR IN UPATE;的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
