using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
using System.Data.SqlClient;
using System.Configuration;
public partial class Editprofile : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
SqlConnection con = new SqlConnection();
con.ConnectionString = ConfigurationManager.ConnectionStrings["ProfileCS"].ConnectionString;
string sql = "select userid from Profile";
SqlCommand cmd = new SqlCommand();
SqlDataReader dr;
DataTable dt = new DataTable();
cmd.CommandText = sql;
cmd.Connection = con;
con.Open();
dr = cmd.ExecuteReader();
dt.Load(dr);
ddl_userid.DataSource = dt;
ddl_userid.DataTextField = "userid";
ddl_userid.DataValueField = "userid";
ddl_userid.DataBind();
}
}
protected void ddl_userid_SelectedIndexChanged(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection();
con.ConnectionString = ConfigurationManager.ConnectionStrings["ProfileCS"].ConnectionString;
string sql = "Select studname,gender,email,birthdate,contact from profile where userid='" + ddl_userid.SelectedValue + "'";
SqlCommand cmd = new SqlCommand();
SqlDataReader dr;
DataTable dt = new DataTable();
cmd.CommandText = sql;
cmd.Connection = con;
con.Open();
dr = cmd.ExecuteReader();
dt.Load(dr);
tb_studname.Text = dt.Rows[0]["studname"].ToString();
tb_gender.Text = dt.Rows[0]["gender"].ToString();
tb_email.Text = dt.Rows[0]["email"].ToString();
tb_age.Text = dt.Rows[0]["birthdate"].ToString();
tb_contact.Text = dt.Rows[0]["contact"].ToString();
Session["dt"] = dt;
}
protected void bn_reset_Click(object sender, EventArgs e)
{
DataTable dt = (DataTable)Session["dt"];
tb_studname.Text = dt.Rows[0]["studname"].ToString();
tb_gender.Text = dt.Rows[0]["gender"].ToString();
tb_email.Text = dt.Rows[0]["email"].ToString();
tb_age.Text = dt.Rows[0]["birthdate"].ToString();
tb_contact.Text = dt.Rows[0]["contact"].ToString();
}
protected void bn_update_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection();
con.ConnectionString = ConfigurationManager.ConnectionStrings["ProfileCS"].ConnectionString;
String name = tb_studname.Text;
String gender = tb_gender.Text;
String email = tb_email.Text;
String age = tb_age.Text;
String contact = tb_contact.Text;
string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"',contact='"+contact;
sql=sql +"where userid='"+ddl_userid+"'";
SqlCommand cmd =new SqlCommand();
cmd.CommandText=sql;
cmd.Connection=con;
try
{
con.Open();
cmd.ExecuteNonQuery();
lbl_msg.Text="Record Updated!";
}
catch(Exception ex)
{
lbl_msg.Text="Problem encountered:"+ex.Message;
}
finally
{
con.Close();
con.Dispose();
cmd.Dispose();
}
}
}
HI家伙,当我加载页面时,重置按钮按预期工作但当我尝试更新信息按钮时出现错误消息 遇到问题:'系统'附近的语法不正确。字符串''
后面的未闭合引号答案 0 :(得分:5)
错误是在更新语句
中缺少关闭引号 string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+
email+"',birthdate='"+age+"',contact='"+contact +"'";
说,你应该删除所有这个字符串连接并使用参数化查询
有太多要点需要解决,我只是展示了针对更新
的修正建议 string sql="Update Profile Set studName=@name,gender=@gender,email=@email," +
"birthdate=@age,contact=@contact where userid=@uid";
SqlCommand cmd =new SqlCommand();
cmd.CommandText = sql;
cmd.Parameters.AddWithValue("@name",name);
cmd.Parameters.AddWithValue("@gender",gender);
cmd.Parameters.AddWithValue("@email",email);
cmd.Parameters.AddWithValue("@age",age);
cmd.Parameters.AddWithValue("@contact",contact);
cmd.Parameters.AddWithValue("@uid",ddl_userid);
cmd.ExecuteNonQuery();
通过这种方式,您的命令字符串更具可读性,并且您可以避免细微的引用错误 引用参数的工作也会传递给框架代码,并且不可能进行SQL注入。
答案 1 :(得分:1)
我认为这一行存在问题;
string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"',
contact='"+contact;
^^ here missing '"
sql=sql +"where userid='"+ddl_userid+"'";
但请不要这样使用。请改用parameterized queries。这种字符串连接对SQL Injection攻击开放。
同样使用参数化查询可提高可读性。
例如;
string sql = @"Update Profile Set studName=@studName,gender=@gender,email=@email, birthdate=@birthdate, contact=@contact
where userid=@userid";
SqlCommand cmd =new SqlCommand(sql, con);
cmd.Parameters.AddWithValue("@studName", studName);
cmd.Parameters.AddWithValue("@gender", gender);
cmd.Parameters.AddWithValue("@email", email);
cmd.Parameters.AddWithValue("@birthdate", birthdate);
cmd.Parameters.AddWithValue("@contact", contact);
cmd.Parameters.AddWithValue("@userid", userid);
cmd.ExecuteNonQuery();
答案 2 :(得分:0)
以下行问题:
string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"',contact='"+contact;
您需要完成以下字符串:请参阅我已编辑语句的结尾。
string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"',contact='"+contact +"' ";
注意:我建议您使用参数化查询而不是直接字符串。
答案 3 :(得分:0)
变化:
string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"',contact='"+contact;
要:
string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"',contact='"+contact + "' ";
联系后遗漏单引号。然后你需要一个空格,以便添加Where子句的下一行有效。