SQL查询的问题 [英] problem for sql quries

问题描述

SqlCommand cmd = new SqlCommand("Update policrec set policname,location,cortno,datac,dater,namem,crim4,fi5,nfi6,in7,tc8,tcn9,nca10,nc11,iv12,nc13,nca14,wr15,crp16,psm17,ops18,se19,ha20,frp21,mc22,src23,rlc24,icra25,mp26,pst27,ma28,mab28,mabi28,wrs29,mb30,fsm31,mtr32,r2g32,rnp32,mrt32,r2p32,rpn32,whr33,sci34,frm35,bsr36,acr37,bd38,phd40,dna41,ascr42,rign42,roz42,rgn42,rng42,wsp43,wrb44,mfo45,pstm46,zam47,mrds48,knm49,mch50,r1co51,r2pr51,rozn51,rigp51,ri12sr51,r19sr51,rig21r51,crtm52,adt53,quas54,supr55,pdsp56,cnid57,cirdt57,matc58,mat58,vitr59,sdtj59,dism60,apireg61,pnsh62,parpen63,cortmof64,corwnt65,zamt66,ciadd67,regstai68,inofic69,offista70 set values = N'" + polnam.Text + "',N'" + loct.Text + "',N'" + cort.Text + "',N'" + datc.Text + "',N'" + datr.Text + "',N'" + namm.Text + "',N'" + crm.Text + "',N'" + crmfir.Text + "',N'" + nafir.Text + "',N'" + invesn.Text + "',N'" + nocrm.Text + "',N'" + nocrd.Text + "',N'" + noadd.Text + "',N'" + textBox13.Text + "',N'" + textBox14.Text + "',N'" + textBox15.Text + "',N'" + textBox16.Text + "',N'" + textBox17.Text + "',N'" + comboBox2.Text + "',N'" + comboBox3.Text + "',N'" + comboBox4.Text + "',N'" + comboBox5.Text + "',N'" + comboBox6.Text + "',N'" + comboBox7.Text + "',N'" + textBox18.Text + "',N'" + comboBox8.Text + "',N'" + comboBox9.Text + "',N'" + comboBox10.Text + "',N'" + comboBox11.Text + "',N'" + comboBox12.Text + "',N'" + textBox19.Text + "',N'" + textBox20.Text + "',N'" + textBox21.Text + "',N'" + comboBox13.Text + "',N'" + comboBox14.Text + "',N'" + comboBox1.Text + "',N'" + comboBox15.Text + "',N'" + textBox1.Text + "',N'" + textBox2.Text + "',N'" + comboBox16.Text + "',N'" + textBox3.Text + "',N'" + textBox4.Text + "',N'" + comboBox17.Text + "',N'" + comboBox18.Text + "',N'" + comboBox19.Text + "',N'" + comboBox20.Text + "',N'" + comboBox21.Text + "',N'" + comboBox22.Text + "',N'" + comboBox23.Text + "',N'" + comboBox24.Text + "',N'" + comboBox25.Text + "',N'" + comboBox26.Text + "',N'" + textBox5.Text + "',N'" + textBox6.Text + "',N'" + textBox7.Text + "',N'" + textBox8.Text + "',N'" + comboBox27.Text + "',N'" + comboBox28.Text + "',N'" + comboBox29.Text + "',N'" + comboBox30.Text + "',N'" + comboBox31.Text + "',N'" + comboBox32.Text + "',N'" + comboBox33.Text + "',N'" + comboBox34.Text + "',N'" + textBox9.Text + "',N'" + textBox10.Text + "',N'" + textBox11.Text + "',N'" + textBox12.Text + "',N'" + textBox22.Text + "',N'" + textBox23.Text + "',N'" + textBox24.Text + "',N'" + comboBox35.Text + "',N'" + comboBox36.Text + "',N'" + comboBox37.Text + "',N'" + comboBox38.Text + "',N'" + comboBox39.Text + "',N'" + textBox25.Text + "',N'" + textBox26.Text + "',N'" + comboBox40.Text + "',N'" + textBox27.Text + "',N'" + textBox28.Text + "',N'" + textBox29.Text + "',N'" + comboBox41.Text + "',N'" + comboBox42.Text + "',N'" + comboBox43.Text + "',N'" + comboBox44.Text + "',N'" + comboBox45.Text + "',N'" + comboBox46.Text + "',N'" + comboBox47.Text + "',N'" + comboBox48.Text + "',N'" + comboBox49.Text + "',N'" + textBox30.Text + "' N'" + textBox31.Text + "')", abc);

上面的更新查询无法正常工作请plz帮助任何主体

the above update query not work correctly plz help any body

推荐答案

天哪！
不要那样做！
1)不要连接字符串以构建SQL命令.它使您对意外或蓄意的SQL注入攻击敞开大门，这可能会破坏整个数据库.请改用参数化查询.
2)不接受控件的默认名称-给它们起实际含义的名称.您可能还记得textBox31拥有今天涉及的办公室的名称，但是到下周，您将像我们其他人一样寻找它，并在错误的地方使用缠绕字段.
3)您是否积极讨厌用户?至少具有46个组合框和31个文本框的任何表单都将成为真正的PITA使用.您如何期望您的用户能够算出放置在什么地方的内容?
4)您确实意识到，如果不包括WHERE子句，则UPDATE语句将更改表的 每一行?
5)您最近看过UPDATE语句的语法吗?不是吗...

For goodness sake!
Don''t do it like that!
1) Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
2) Don''t accept the default names for controls - give them names that actually mean something. You might remember that textBox31 holds the name of the office involved today, but by next week you will be hunting for it like teh rest of us, and using teh wroing fields in the wrong places.
3) Do you actively hate your users? Any form which has at least 46 comboboxes and 31 text boxes is going to be a real PITA to use. How do you expect your user to be able to work out what to put where?
4) You do realize that if you do not include a WHERE clause, an UPDATE statement will change every row of the table?
5) Have you looked at the syntax of an UPDATE statement recently? That isn''t it...

UPDATE <table_name> SET <field1>=<new value>,<field2>=... WHERE ...

我不奇怪为什么上面的查询无法正常工作，这是在查询中连接字符串的一种非常糟糕的做法，这会导致参数化 [

I am not surprised why above query not worked properly, this is a really bad practice to concatenate strings in query , this will prone to SQL injections[^] attacks. And you should always use parametrized[^] query, it will be easy to debug and trace out error and avoid SQL injection as well.

hope it helps :)

天哪！
不要那样做！
1)不要连接字符串以构建SQL命令.它使您对意外或蓄意的SQL注入攻击敞开大门，这可能会破坏整个数据库.请改用参数化查询.
2)不接受控件的默认名称-给它们起实际含义的名称.您可能还记得textBox31拥有今天涉及的办公室的名称，但是到下周，您将像我们其他人一样寻找它，并在错误的地方使用缠绕字段.
3)您是否积极讨厌用户?至少具有46个组合框和31个文本框的任何表单都将成为真正的PITA使用.您如何期望您的用户能够算出要放置在哪里?

For goodness sake!
Don''t do it like that!
1) Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
2) Don''t accept the default names for controls - give them names that actually mean something. You might remember that textBox31 holds the name of the office involved today, but by next week you will be hunting for it like teh rest of us, and using teh wroing fields in the wrong places.
3) Do you actively hate your users? Any form which has at least 46 comboboxes and 31 text boxes is going to be a real PITA to use. How do you expect your user to be able to work out what to put where?

这篇关于SQL查询的问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！