我在哪里错了建议我另类 [英] where i am wrong suggest me alternative

问题描述

//此代码在员工申请Claim(emp模块代码)时使用

//this code is used when employee is applying for Claim(emp module code)

using (SqlCommand _oCmd = new SqlCommand())
            {
                _oCmd.Connection = _oCon;
                _oCmd.CommandType = CommandType.StoredProcedure;
                _oCmd.CommandText = "dbo.stp_iOpdClaim";
              _oCmd.Parameters.Add(new SqlParameter("@userid", lbldisplay.Text.Trim().ToString()));
                _oCmd.Parameters.Add(new SqlParameter               ("@claimamt",txttotalcost.Text.Trim().ToString()));

                _oCmd.Parameters.Add(new SqlParameter("@status", "pending"));
                _oCmd.Parameters.Add(new SqlParameter("@Balance",15000));
                       
                _oCmd.ExecuteNonQuery();
                ClearControls();
                GetSaveMessage();
            }
        }

emp最多可以索取15000，这就是为什么将15000存储在Balance中的原因

//用于批准/拒绝声明的管理模块代码

从第一个索赔开始，假设我申请了5000个索赔amt，那么管理员将对其进行验证并批准，因此，无论何时我从第二次索赔中获得第二个索赔的amt将从10000中减去，但从15000中减去后，数据库中的10000被保存为第一个索赔，请plz ckeck我错的代码建议我替代

emp can claim upto 15000 that''s why 15000 is store in Balance

//admin module code for approving/reject claim

from 1ST claim suppose i apply for 5000 claim amt then admin will verify it and approve it so in database 10000 is save for 1st claim whenver i claim from 2nd timeclaim amt for 2nd claim will subtract from 10000 but it was subtracted from 15000 only plz ckeck code where i am wrong suggest me alternative

_sr = Request.QueryString["sr"].ToString();

 protected void SaveDetail()
    {
        
        DataSet ds = new DataSet();
        DB obj = new DB();
        string str = "update tbl_OpdClaim set Balance =" + txtbalance.Text + " ,status='" + txtstatus.Text + "' where userid='" + _sr.ToString() + " ; 
    
        obj.execute_dml(str);
        GetSaveMessage();
        obj.close();
       

    }

 protected void cmdverify_Click(object sender, EventArgs e)
    {
        DataSet ds = new DataSet();
                                
        DB obj = new DB();
    
        
   string str = "select totalamt,Balance from tbl_OpdClaim where userid='" + _sr.ToString() + "'";
                 ds = obj.getdataset(str);
        
       double  bal = Convert.ToDouble(ds.Tables[0].Rows[0]["Balance"].ToString());
        double  claimamt = Convert.ToDouble(ds.Tables[0].Rows[0]["totalamt"].ToString());
         if (claimamt < bal)
             bal = bal - claimamt;
         txtbalance.Text = bal.ToString();
                  
    }
    protected void rdbStatuschange_SelectedIndexChanged(object sender, EventArgs e)
    {
        if (rdbStatuschange.SelectedValue == "Approved")
        {
            txtstatus.Text = "Approved";
                       
        }
        else
        {
            txtstatus.Text = "Rejected";
        }
    }

推荐答案

我看到的一个错误是更新SQL语句未完成.您错过了最后一个单引号.

One error that I can see is the update SQL statement is not completed. You missed the last single quote.

string str = "update tbl_OpdClaim set Balance =" + txtbalance.Text + " ,status='" + txtstatus.Text + "' where userid='" + _sr.ToString() + "'" ; 

一般评论:

您从作为参数化查询的好方法开始，然后混入了不好的SQL语句.正如Christian Graus所说的那样，您可能会遇到 SQL注入 [ ^ ].

General comment:

You started as good approach which is parameterized query and you mixed with SQL statement which is bad.As Christian Graus said you might be exposed to SQL Injection[^].

您的代码是一场灾难.通过在txtBalance或txtStatus中输入正确的文本，我可以随时清除您的数据库.阅读有关SQL注入的知识，修复代码，使用调试器浏览正在发生的事情，然后再次询问，报告执行的步骤以及发现的内容.

Your code is a disaster. I can erase your database any time I like, by entering the right text in to txtBalance or txtStatus. Read up on SQL injection, fix your code, use the debugger to walk through what is going on, and then ask again, reporting the steps you took, and what you found.

这篇关于我在哪里错了建议我另类的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！