我正在尝试更新我的数据库,但它无法正常工作。
我首先尝试了这段代码:
SqlConnection con = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDbFilename=|DataDirectory|\\QuizDB.mdf;Integrated Security=True;User Instance=True;");
con.Open();
string command = "UPDATE QuizTable SET ques1= @ques1VAL WHERE ID=@IDVAL";
SqlCommand cmd = new SqlCommand(@command, con);
cmd.Parameters.AddWithValue("@ques1VAL", ques1TextBox.Text);
cmd.Parameters.AddWithValue("@IDVAL", IDTextBox.Text);
cmd.ExecuteNonQuery();
con.Close();
它不会抛出错误但它不会更新数据库。当我尝试下一个代码时,只更新整数而不是字符串。
SqlConnection con = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDbFilename=|DataDirectory|\\QuizDB.mdf;Integrated Security=True;User Instance=True;");
con.Open();
string command = "UPDATE QuizTable " +
"SET ques1=" + ques1TextBox.Text +
" WHERE ID=" + IDTextBox.Text;
SqlCommand cmd = new SqlCommand(@command, con);
cmd.ExecuteNonQuery();
con.Close();
任何人都可以解释我做错了什么吗?我希望代码能够安全地防止SQL注入。
答案 0 :(得分:2)
你错过了IDVAL游行的“@”:
string command = "UPDATE QuizTable SET ques1= @ques1VAL WHERE ID = @IDVAL";
答案 1 :(得分:0)
在第一种情况下,你在条件所在的地方缺少@,所以它应该像 -
SqlConnection con = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDbFilename=|DataDirectory|\\QuizDB.mdf;Integrated Security=True;User Instance=True;");
con.Open();
string command = "UPDATE QuizTable SET ques1= @ques1VAL WHERE ID=@IDVAL";
SqlCommand cmd = new SqlCommand(@command, con);
cmd.Parameters.AddWithValue("@ques1VAL", ques1TextBox.Text);
cmd.Parameters.AddWithValue("@IDVAL", IDTextBox.Text);
cmd.ExecuteNonQuery();
con.Close();
在第二种情况下,您传递.text但不使用正确的字符串引用。它应该像 -
SqlConnection con = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDbFilename=|DataDirectory|\\QuizDB.mdf;Integrated Security=True;User Instance=True;");
con.Open();
string command = "UPDATE QuizTable " +
"SET ques1='" + ques1TextBox.Text +
"' WHERE ID='" + IDTextBox.Text+"'";
SqlCommand cmd = new SqlCommand(@command, con);
cmd.ExecuteNonQuery();
con.Close();