目前,我正在整理一类的asp项目,并开始注意到一个重大缺陷的必要条件之一。该应用程序应该问五个问题,并写出答案的数据库,以后就应该显示调查的结果给用户。
I'm currently finishing an asp project for a class and began to notice a major flaw with one of the requisites. The application should ask five questions and write the answers to a database, afterwards it should display the results of the survey to the user.
这是我迄今为止尝试:
public static string GetConnectionString() { string connStr = String.Format("server={0}; user id={1}; password={2};" + "database= -table to be accessed-; pooling=false", "-database server-", "-user-", "-password-"); return connStr; } protected void Button1_Click(object sender, EventArgs e) { if (Page.IsValid) { string sex = gender.Text; string likes = interests.Text; string edu = education.Text; string nation = nationality.Text; string userage = age.Text; MySql.Data.MySqlClient.MySqlConnection mycon; mycon = new MySqlConnection(GetConnectionString()); try { MySqlCommand cmd = new MySqlCommand("INSERT INTO survey (gender, age, birthplace, occupation, winner) VALUES ('" + sex + ", " + likes + ", " + edu + ", " + userage + "')", mycon); cmd.ExecuteNonQuery(); mycon.Open(); } catch (Exception ex) { Response.Write(ex.Message); } finally { mycon.Close(); } } }我继续替换占位符数据库信息。
I went ahead and replaced the database information with placeholders.
该数据库是MySQL和外部服务器上承载。
The database is MySql and hosted on an external server.
我遇到的问题是,code编译,但是信息不被写入到数据库中。我不能肯定,如果这是由于这样的事实,我现在还在测试code和尚未上传的Web应用程序服务器或事实,这是错误的。
The issue I'm experiencing is that the code compiles, however the information does not get written to the database. I'm not certain if this is due to the fact that I'm still testing the code and have not uploaded the web application to the server or the fact that it's just wrong.
至于显示结果去了,如果上面的code是正确的,将仅仅是改变SQL查询的问题,正确的?
As far as displaying the results go, if the above code is correct it would simply be a matter of changing the sql query, correct?
在此先感谢您的洞察力。
Thanks in advance for the insight.
推荐答案打开数据库连接之前,您正在执行的命令。
You are executing the command before opening database connection.
的ExecuteNonQuery()法和其他所有Execute方法需要一个开放的数据库连接。
ExecuteNonQuery() method and all other Execute method require an open database connection.
和另一个错误是:结果列数(即5)和设置值(即4)不相等。
And another error is: Number of columns (i.e. 5) and provided values (i.e. 4) are not equal.
和one在code的问题是这里由史蒂夫伦斯说。
改变你的code象下面这样:
Change Your Code like below:
try { MySqlCommand cmd = new MySqlCommand("INSERT INTO survey (gender, age, birthplace, occupation, winner) VALUES ('" + sex + ", " + likes + ", " + edu + ", " + userage + "')", mycon); mycon.Open(); cmd.ExecuteNonQuery(); } catch (Exception ex) { Response.Write(ex.Message); } finally { mycon.Close(); }安全注意事项:
绝不添加数据成使用 + 运营商查询。这可能会导致 SQL注入。
Security Notes:
Never add data into query using + operator. It may cause SQL Injection.
如果用户输入 1); DROP TABLE<表名称> - 在年龄 文本框 ??结果任何人都可以从数据库中完全删除的任何表。
What if a user enters 1); DROP TABLE <table-name> -- in Age TextBox..?? Anyone can delete any table entirely from database.
使用 MySQL的参数,以避免此类问题。它可能造成严重损害你的整个数据库prevent。
Use MySQL Parameter to avoid such problems. It may prevent from causing serious damages to your entire database.
更多推荐
写在asp.net数据库
发布评论