我被指派在我的学校kmhsmc.somee.com为俱乐部创建一个网站。我选择ASP作为语言,我遇到了sql函数的问题。如果您访问上面的网站并单击加入当前的liveclub会话并在顶部的文本框中填入一堆垃圾并点击连接,则会抛出SQL异常。这是代码:
UName = TextBox1.Text;
CompN = TextBox2.Text;
TMin = TextBox3.Text;
Name = TextBox4.Text;
TextBox1.Visible = false;
TextBox2.Visible = false;
TextBox3.Visible = false;
TextBox4.Visible = false;
string sql = "INSERT INTO table_name values (" + Name + "," + UName + "," + CompN + "," + TMin + "," + "NA" + "," + 0 + ")";
conn.Open();
try
{
SqlCommand cmd = new SqlCommand(sql, conn);
cmd.ExecuteNonQuery();
}
catch
{
Response.Write("<script>alert('SQL error: try again later')</script>");
}
finally
{
conn.Close();
}
对于任何要求的人,我110%确定它不是连接字符串,因为它在网站的日历页面上运行正常。
以下是该项目的其他相关信息:
答案 0 :(得分:5)
问题:您没有在String内附上VARCHAR,NVARCHAR种single quotes列。
解决方案:您需要将String类型括在single quotes内。
试试这个:
sqlCmd.CommandText = "INSERT INTO tablename(name) VALUES('yourname');
建议:您应该使用Parameterised queries来避免SQL injection attacks。
使用parameterised sql queries
string sql = "INSERT INTO table_name values (@Name,@UName,@CompN,@TMin,@value1,@value2)";
conn.Open();
try
{
SqlCommand cmd = new SqlCommand(sql, conn);
cmd.Parameters.AddWithValue("@Name",Name);
cmd.Parameters.AddWithValue("@UName",UName);
cmd.Parameters.AddWithValue("@CompN",CompN);
cmd.Parameters.AddWithValue("@TMin",TMin);
cmd.Parameters.AddWithValue("@value1","NA");
cmd.Parameters.AddWithValue("@value2",0);
cmd.ExecuteNonQuery();
}
答案 1 :(得分:0)
你的sql字符串错误。
UName = TextBox1.Text;
CompN = TextBox2.Text;
TMin = TextBox3.Text;
Name = TextBox4.Text;
TextBox1.Visible = false;
TextBox2.Visible = false;
TextBox3.Visible = false;
TextBox4.Visible = false;
string sql = "INSERT INTO table_name values ('" + Name + "','" + UName + "','" + CompN + "','" + TMin + "','NA', 0 )";
conn.Open();
try
{
SqlCommand cmd = new SqlCommand(sql, conn);
cmd.ExecuteNonQuery();
}
catch
{
Response.Write( "<script>alert( 'SQL error: try again later' )</script>" );
}
finally
{
conn.Close();
}