public void moveBooks(int quantityOfMovedBooks, int booksID)
{
int finalQuantityOfBooks = totalBooksInDB(booksID) - quantityOfMovedBooks;
queryString = "update Books set bQuantity='" + finalQuantityOfBooks + "'where bID=" + booksID;
myComm = new OleDbCommand(queryString, myConn);
myConn.Open();
myComm.ExecuteNonQuery();
myConn.Close();
}
public int totalBooksInDB(int bID)
{
int booksQuantity;
queryString = "select bQuantity from Books where bID=" + bID;
myComm = new OleDbCommand(queryString, myConn);
myConn.Open();
booksQuantity = (int)myComm.ExecuteScalar();
myConn.Close();
return booksQuantity;
}
答案 0 :(得分:3)
一些变化。
首先,永远不要使用字符串连接来构建sql命令文本。这会导致sql injection次攻击。一个非常严重的安全问题
第二,您获取图书数量的代码可能会导致ExecuteScalar返回一个空值,因此您将收到错误
<强>第三即可。应在需要,使用,然后关闭和处理时打开连接。如果出于某种原因,您的代码将无法关闭并处理连接 using statement阻止此问题在出现异常情况时也要小心关闭和处理连接。
第四这是一个更合乎逻辑的问题。我认为你不能移动比库存中存储的更多的书籍,所以添加一个检查只是为了安全 -
public void moveBooks(int quantityOfMovedBooks, int booksID)
{
int quantity = totalBooksInDB(booksID);
if(quantity > quantityOfMovedBooks)
{
int finalQuantityOfBooks = quantity - quantityOfMovedBooks;
queryString = "update Books set bQuantity=? where bID=?";
using ( OleDbConnection myConn = new OleDbConnection(GetConnectionString() )
using ( OleDbCommand myComm = new OleDbCommand(queryString, myConn))
{
myComm.Parameters.AddWithValue("@p1", finalQuantityOfBooks);
myComm.Parameters.AddWithValue("@p2", booksID);
myConn.Open();
myComm.ExecuteNonQuery();
}
}
else
MessageBox.Show("Invalid quantity to move");
}
public int totalBooksInDB(int bID)
{
int booksQuantity = 0;
queryString = "select bQuantity from Books where bID=?";
using ( OleDbConnection myConn = new OleDbConnection(GetConnectionString() )
using ( OleDbCommand myComm = new OleDbCommand(queryString, myConn))
{
myComm = new OleDbCommand(queryString, myConn);
myComm.Parameters.AddWithValue("@p1", bID);
myConn.Open();
object result = myComm.ExecuteScalar();
if(result != null)
booksQuantity = Convert.ToInt32(result);
}
return booksQuantity;
}