从字符串“"转换updat员工将fname ='p'设置为'Integer'类型无效 [英] Conversion from string " updat Employee set fname='p' to type 'Integer' is not valid

查看:53
本文介绍了从字符串“"转换updat员工将fname ='p'设置为'Integer'类型无效的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

你好

我单击行将其更新时要更新:

Hello

I want update when I click sumit it to line: 

Catch ex As Exception<br />
            MsgBox("Can not Update Data : " & & ex.Message, MsgBoxStyle.Critical, "Error Meaage")<br />
                Exit Sub



MsgBox错误:



MsgBox error:

Can not Update Data: Conversion from string "update Employee set  minit='ppp'" to type 'Integer' is not valid.



我不知道这是什么意思?

我的代码:



I don''t know what it mean ?

my code:

    Protected Sub submit_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles submit.Click
        Dim con As SqlConnection
        Dim da As SqlDataAdapter = New SqlDataAdapter
        Dim ds As DataSet = New DataSet()
        Dim sqlcommand As String
        Dim sqlcmd As SqlCommand
        Dim rowaffected As Integer

        con = New SqlConnection(connStr)

        If (Request.QueryString("edit") <> "") Then
            sqlcommand = "update Employee set "
            sqlcommand &= "fname= '" & FirstName.Text.Trim & "',"
            sqlcommand &= "minit= '" & minit.Text.Trim & "',"
            sqlcommand &= "LNAME= '" & LastName.Text.Trim & "',"

            sqlcommand &= "ADDRESS= '" & Address.Text.Trim & "',"

            If male.Checked = True Then
                sqlcommand &= "sex = 'M' , "
            Else
                sqlcommand &= "sex = 'F' , "
            End If
            sqlcommand &= "salary= '" & Salary.Text.Trim & "',"
            sqlcommand &= "dno= '" & Department.SelectedValue & "' "
            sqlcommand &= "where ssn= '" & Request.QueryString("edit").ToString & "'"


            Try
                sqlcmd = New SqlCommand
                con.Open()
                sqlcmd.CommandType = CommandType.Text
                sqlcmd.CommandType = sqlcommand
                sqlcmd.Connection = con
                rowaffected = sqlcmd.ExecuteNonQuery

            Catch ex As Exception
            MsgBox("Can not Update Data : " & & ex.Message, MsgBoxStyle.Critical, "Error Meaage")
                Exit Sub
            Finally
                con.Close()
                Response.Redirect("sql8.aspx")
            End Try
        Else
            sqlcommand = " insert into employee (ssn, fname,minit, lname,"
            sqlcommand &= " address,sex,salary, dno) values("
            sqlcommand &= "'" & SSN.Text.Trim & "',"
            sqlcommand &= "'" & firstName.Text.Trim & "',"
            sqlcommand &= "'" & minit.Text.Trim & "',"
            sqlcommand &= "'" & LastName.Text.Trim & "',"

            sqlcommand &= "'" & Address.Text.Trim & "',"
            If male.Checked = True Then
                sqlcommand &= "'M',"
            Else
                sqlcommand &= "'F',"

            End If
            sqlcommand &= "'" & Salary.Text.Trim & "',"
            sqlcommand &= "'" & Department.Text.Trim & "')"
            Try
                sqlcmd = New SqlCommand
                con.Open()

                sqlcmd.CommandType = CommandType.Text
                sqlcmd.CommandText = sqlcommand
                sqlcmd.Connection = con
                rowaffected = sqlcmd.ExecuteNonQuery

            Catch ex As Exception
                MsgBox("Can not Insert Data : " & ex.Message, MsgBoxStyle.Critical, "Error Meaage")
                Exit Sub
            Finally
                con.Close()

            End Try
        End If
    End Sub

    Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
        Response.Redirect("sql8.aspx")
    End Sub

End Class

推荐答案

首先,您不应该在SQL语句中使用未经验证的用户输入,并且您当然不应该使用字符串串联来形成语句.关于这些方法中的任何一种的危害,已经有太多的文献报道.人们为什么继续使用它们?
至少使用参数化查询.
First of all you should not be using unvalidated user input in your SQL statements and you should certainly not be using string concatenation to form the statements. There has been so much written about the dangers of either of these methods. Why do people continue to use them?
Use a parametrized query at least.


尝试此

您正在发送值,然后将它们转换为整数,您需要先将其转换.

Convert.ToInt32(minit.Text)

/*或需要根据表列名DataTypes进行转换的其他Vlues
try This

You are sending values before converting them into integer you need to convert them first.

Convert.ToInt32(minit.Text)

/* Or Other Vlues which needed convertion according to the table columnname DataTypes


同意Mark.普通的串联SQL字符串可能会引发SQL注入问题.

您的代码.您已将"SQL查询"分配给CommandType,这是错误的.
Agree with Mark. Plain concatenated SQL string may invite SQL-Injection problem.

Your Code. You have assigned "SQL Query" to CommandType which is wrong.
sqlcmd = New SqlCommand
con.Open()
sqlcmd.CommandType = CommandType.Text
sqlcmd.CommandType = sqlcommand
sqlcmd.Connection = con
rowaffected = sqlcmd.ExecuteNonQuery



尝试如下更改.



Try by changing it as below.

sqlcmd = New SqlCommand
con.Open()
sqlcmd.CommandType = CommandType.Text
sqlcmd.CommandText = sqlcommand
sqlcmd.Connection = con
rowaffected = sqlcmd.ExecuteNonQuery


这篇关于从字符串“"转换updat员工将fname ='p'设置为'Integer'类型无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发语言最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆