无法在C#ASP.NET中绑定多部分标识符“TextBox1.Text”?

时间:2011-04-17 22:48:23

标签: c# asp.net sql-server visual-studio

我正在做一个培训练习项目;我的处理程序现在专门禁止使用paramaterization和面向安全的编码,以便降低基础知识。话虽这么说,我的主页上有一个gridview,带有一个超链接字段,可以将用户带到一个页面,在那里他们可以编辑文本框中的行数据。该行由“ProductId”列显示,因为它是自动增量且唯一的。值显示完美,所以我知道我的查询字符串很好,但是当我尝试使用按钮事件进行更新时,我收到一条错误消息,上面写着

无法绑定多部分标识符“TextBox1.Text”。

我所有的文本框。我的代码如下。我错过了什么?这是我的第一次牛仔竞技表演,所以对于有经验的人来说,它可能是基本而且显而易见的。 

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Data;
    using System.Data.Sql;
    using System.Data.SqlClient;
    using System.Web;
    using System.Web.UI;
    using System.Web.UI.WebControls;

    public partial class ViewEdit : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            string x = Request.QueryString["ProductId"];
            string connectionString = System.Configuration.ConfigurationManager.ConnectionStrings["MyConnectionString"].ConnectionString;
            string editQuery = "SELECT CustId, CustName, SicNaic, CustCity, CustAdd, CustState, CustZip, BroName, BroId, BroAdd, BroCity, BroState, BroZip, EntityType, Coverage, CurrentCoverage, PrimEx, Retention, EffectiveDate, Commission, Premium, Comments FROM ProductInstance WHERE ProductId =" + x;



        using (SqlConnection editConn = new SqlConnection(connectionString))
        {
            editConn.Open();

            using (SqlCommand command = new SqlCommand(editQuery, editConn))
            {

                SqlDataReader dr = command.ExecuteReader();
                dr.Read();
                TextBox1.Text = dr.GetInt32(0).ToString();
                TextBox2.Text = dr.GetString(1);
                TextBox3.Text = dr.GetString(2);
                TextBox4.Text = dr.GetString(3);
                TextBox5.Text = dr.GetString(4);
                TextBox6.Text = dr.GetString(5);
                TextBox7.Text = dr.GetInt32(6).ToString();
                TextBox8.Text = dr.GetString(7);
                TextBox9.Text = dr.GetInt32(8).ToString();
                TextBox10.Text = dr.GetString(9);
                TextBox11.Text = dr.GetString(10);
                TextBox12.Text = dr.GetString(11);
                TextBox13.Text = dr.GetInt32(12).ToString();
                TextBox14.Text = dr.GetString(13);
                TextBox15.Text = dr.GetInt32(14).ToString();
                TextBox16.Text = dr.GetInt32(15).ToString();
                TextBox17.Text = dr.GetInt32(16).ToString();
                TextBox18.Text = dr.GetInt32(17).ToString();
                TextBox19.Text = dr.GetDateTime(18).ToString();
                TextBox20.Text = dr.GetInt32(19).ToString();
                TextBox21.Text = dr.GetInt32(20).ToString();
                TextBox22.Text = dr.GetString(21);



            }

        }   
    }
    protected void Button1_Click(object sender, EventArgs e)
    {
        string x = Request.QueryString["ProductId"];
        string connectionString = System.Configuration.ConfigurationManager.ConnectionStrings["MyConnectionString"].ConnectionString;
        string updateQuery = "UPDATE ProductInstance SET CustId = TextBox1.Text, CustName = TextBox2.Text, SicNaic =TextBox3.Text, CustCity = TextBox4.Text, CustAdd = TextBox5.Text, CustState = TextBox6.Text, CustZip = TextBox7.Text, BroName = TextBox8.Text, BroId = TextBox9.Text, BroAdd = TextBox10.Text, BroCity = TextBox11.Text, BroState = TextBox12.Text, BroZip = TextBox13.Text, EntityType = TextBox14.Text, Coverage = TextBox15.Text, CurrentCoverage = TextBox16.Text, PrimEx = TextBox17.Text, Retention = TextBox18.Text, EffectiveDate = TextBox19.Text, Commission = TextBox20.Text, Premium = TextBox21.Text, Comments = TextBox22.Text WHERE ProductId =" + x; 
        using (SqlConnection updateConn = new SqlConnection(connectionString))
        {
            updateConn.Open();
            {
                using (SqlCommand command = new SqlCommand(updateQuery, updateConn))
                {
                    command.ExecuteNonQuery();
                }
            }
        }
    }
}

3 个答案:

答案 0 :(得分:4)

使用参数执行此操作。否则,您可以进行SQL注入。

SQLCommand cmd = new SQLCommand();
cmd.CommandText = "UPDATE ProductInstance SET CustId = @CustID WHERE .... ";
cmd.Parameters.AddWithValue("@CustID", TextBox1.Text);
cmd.ExecuteNonQuery();

答案 1 :(得分:2)

您必须将Text控件的TextBox属性的值传递给查询,而不是将“TextBox.Text”作为字符串传递:

string updateQuery = "UPDATE ProductInstance SET CustId = " + TextBox1.Text + ", CustName = '" + TextBox2.Text + "', .... " + x;

注意

如果“Text”属性的值是一个字符串,则必须在值的两边放置',如上例所示。

答案 2 :(得分:2)

您的查询将按原样执行,Textbox*.Text将不会被替换。 您必须使用SQL参数或使用字符串Builder或string.Format来生成查询字符串。

const string queryFormat = "UPDATE ProductInstance SET CustId = {0}, CustName = '{1}', ... WHERE ProductId = {n}";
var query = string.Format(queryFormat, Textbox1.Text, 
                                       Textbox2.Text, 
                                       ..., 
                                       TextboxN.Text, x);

确保生成有效的SQL Update查询。如果Textbox4.Text是一个字符串,那么像CustCity = TextBox4.Text这样的东西就会失败。您必须在需要的地方添加引号CustCity = '" + TextBox4.Text + "'"

即使您不能使用参数或ORM,我也建议您为TextboxN以外的文本框命名。

此外,如果您使用网格视图,我不知道这段代码会如何工作?你只填一行?

相关问题
最新问题