当我按下一个获得评级(1-7)的按钮并将其与文本输入一起放入数据库时,我试图运行C#函数。反馈部分:
<asp:PlaceHolder ID="AnswersPlaceholder" runat="server" Visible="false">
<asp:Literal ID="AnswerLiteral" runat="server"></asp:Literal>
<br />
<br />
<div class="FeedbackTitle">How accurate do you find this result?</div>
<center><p><input class="FeedbackChoice" type="checkbox" value="1" name="feedback" id="F1">Way off!</p></center>
<center><p><input class="FeedbackChoice" type="checkbox" runat="server" value="2" name="feedback" id="F2">Mostly inaccurate</p></center>
<center><p><input class="FeedbackChoice" type="checkbox" runat="server" value="3" name="feedback" id="F3">Somewhat accurate</p></center>
<center><p><input type="text" style="width:40%; border: solid,thick; border-color:blue" name="Note" runat="server" class="FeedbackNote" /></p></center>
<button class="ContinueButton" runat="server" onclick="SubmitFeedback_click">Continue</button>
及其调用的函数:
protected void SubmitFeedback_Click(object sender, EventArgs e)
{
string FeedbackNoteString = "";
string FeedbackButtonString = "";
int UseUserID = 0;
int Feedback = 0;
try
{
UserInfo _currentUser = UserController.Instance.GetCurrentUserInfo();
UseUserID = _currentUser.UserID;
}
catch (OleDbException ex)
{
Console.WriteLine("Error: {0}", ex.Errors[0].Message);
}
finally
{
OleDbConnection bConnection = new OleDbConnection("Driver={SQL Server};Provider=SQLOLEDB........(credentials hidden)");
OleDbCommand DoesFeedbackExistCommand = new OleDbCommand("SELECT * FROM ss_QuizFeedback WHERE UserId = " + UseUserID.ToString(), bConnection);
OleDbDataReader DoesFeedbackExistReader = DoesFeedbackExistCommand.ExecuteReader(); SqlConnection SSSqlConnection = new SqlConnection(ConfigurationManager.ConnectionStrings["SiteSqlServer"].ConnectionString);
SqlCommand FeedbackNoteCommand = SSSqlConnection.CreateCommand();
SqlCommand FeedbackButtonCommand = SSSqlConnection.CreateCommand();
bConnection.Open();
while (DoesFeedbackExistReader.Read())
{
Feedback++;
}
if (Feedback == 0)
{
FeedbackNoteString = "INSERT INTO ss_SoulGoalsQuizFeedback (UserId,SoulGoalsNote) VALUES ("
+ UseUserID.ToString() + ","
+ Request.Form["Note"] + ")";
FeedbackButtonString = "INSERT INTO ss_SoulGoalsFeedback (UserId,Rating) VALUES ("
+ UseUserID.ToString() + ","
+ Request.Form["feedback"].ToString() + ")";
}
else if (Feedback != 0)
{
FeedbackNoteString = "UPDATE ss_SoulGoalsQuizFeedback (UserId,SoulGoalsNote) VALUES ("
+ UseUserID.ToString() + ","
+ Request.Form["Note"] + ")";
}
FeedbackNoteCommand.CommandText = FeedbackNoteString;
FeedbackNoteCommand.ExecuteNonQuery();
FeedbackButtonCommand.CommandText = FeedbackButtonString;
FeedbackButtonCommand.ExecuteNonQuery();
SSSqlConnection.Close();
bConnection.Close();
}
}
按下该按钮时,页面将刷新,但不会将其放入数据库。
答案 0 :(得分:1)
您的程序可能生成无效的SQL。例如
FeedbackNoteString = "INSERT INTO ss_SoulGoalsQuizFeedback (UserId,SoulGoalsNote) VALUES ("
+ UseUserID.ToString() + ","
+ Request.Form["Note"] + ")";
应该是
FeedbackNoteString = "INSERT INTO ss_SoulGoalsQuizFeedback (UserId,SoulGoalsNote) VALUES ('"
+ UseUserID.ToString() + "','"
+ Request.Form["Note"] + "')";
甚至更好
FeedbackNoteString = String.Format("INSERT INTO ss_SoulGoalsQuizFeedback (UserId,SoulGoalsNote) VALUES ('{0}','{1}'), UseUserID.ToString(), Request.Form["Note"]);
(注意我在你与SQL连接的两个字符串周围添加了单引号。)
顺便说一句,您的代码非常容易受到SQL注入的攻击。您可能希望考虑使用存储过程执行这些数据库操作。