我想问为什么查询返回null并且不更新我想要的内容。抱歉,asp.net和c#
myquery = "UPDATE kenderaan SET buatan = " + "'" + carmake + "'" + "," +
"model = " + "'" + carmodel + "'" + "," +
"no_enjin = " + "'" + carenjin + "'" + "," +
"cc = " + carcc + "," +
"seatCapacity = " + carseat + "," +
"tahunBuatan = " + caryear + " WHERE no_kenderaan = " + "'" + carid + "'" + "," +
"AND ic = " + "'" + cusid + "'";
connection = new DbConnection();
connection.Update(myquery);
答案 0 :(得分:3)
将代码重组为此内容,使用Connection对象,Command对象,using语句。
string myquery = "UPDATE kenderaan SET buatan = @carmake ," +
" model = @carmodel ," +
" no_enjin = @carenjin ," +
" cc = @carcc ," +
" seatCapacity = @carseat ," +
" tahunBuatan = @caryear " +
"WHERE no_kenderaan = @carid " +
" AND ic = @cusid ";
using (MySqlConnection _conn = new MySqlConnection("connectionStringHere"))
{
using (MySqlCommand _comm = new MySqlCommand())
{
_comm.Connection = _conn;
_comm.CommandText = myquery;
_comm.CommandType = CommandType.Text;
_comm.Parameters.AddWithValue("@carmake",carmake);
_comm.Parameters.AddWithValue("@carmodel",carmodel);
_comm.Parameters.AddWithValue("@carenjin",carenjin);
_comm.Parameters.AddWithValue("@carcc",carcc);
_comm.Parameters.AddWithValue("@carseat",carseat);
_comm.Parameters.AddWithValue("@caryear",caryear);
_comm.Parameters.AddWithValue("@carid",carid);
_comm.Parameters.AddWithValue("@cusid",cusid);
try
{
_conn.Open();
_comm.ExecuteNonQuery();
MessageBox.Show("Updated!");
}
catch (MySqlException e)
{
MessageBox.Show(e.ToString()); // as mentioned on the comment
}
}
}
您需要参数化查询的原因:
来源
答案 1 :(得分:1)
使用DbCommand方法创建Update以执行ExecuteNonQuery()语句。如果您使用的是SQL Server,那么您可以使用以下代码段:
using System.Data.SqlClient;
string query = "UPDATE kenderaan SET buatan = @carmake" +
", model = @carmodel" +
", no_enjin = @carenjin" +
", cc = @carcc" +
", seatCapacity = @carseat" +
", tahunBuatan = @caryear" +
" WHERE no_kenderaan = @carid AND ic = @cusid";
using (SqlConnection conn = new SqlConnection("<connection string>"))
{
using (SqlCommand cmd = new SqlCommand(query, conn))
{
cmd.Parameters.AddWithValue("@carmake", carmake);
cmd.Parameters.AddWithValue("@carmodel", carmodel);
cmd.Parameters.AddWithValue("@carenjin", carenjin);
cmd.Parameters.AddWithValue("@carcc", carcc);
cmd.Parameters.AddWithValue("@carseat", carseat);
cmd.Parameters.AddWithValue("@caryear", caryear);
cmd.Parameters.AddWithValue("@carid", carid);
cmd.Parameters.AddWithValue("@cusid", cusid);
conn.Open();
cmd.ExecuteNonQuery();
}
}
答案 2 :(得分:-1)
尝试使用此代码代替您的代码:
并确保将varchar参数与字符串值进行比较。
string myquery = "UPDATE kenderaan SET buatan = '" + carmake + "',model = '"+
carmodel + "',no_enjin = '" +carenjin + "',cc = " + carcc + ",seatCapacity = " +
carseat + ",tahunBuatan = " + caryear +
" WHERE no_kenderaan = '" + carid + "' AND ic = '" + cusid + "'";
connection = new DbConnection();
connection.Update(myquery);
更新:道歉,我刚刚用你的where条件更正了你的查询我刚刚删除了你用来分隔两个条件的逗号。
要避免SQL注入攻击,请使用以下方法之一:
1)Parameters with Stored Procedures
2)Use Parameters with Dynamic SQL
3)Constrain Input
您可以在HERE
上找到更多信息