Question

我的代码方法如下：

protected void AddBtn_Click1(object sender, EventArgs e)
{

    string text1 = TextBox1.Text;
    string text2 = TextBox2.Text;
    string text3 = TextBox3.Text;
    string text4 = TextBox4.Text;
    string text5 = TextBox5.Text;
    string text6 = TextBox6.Text;
    string text7 = TextBox7.Text;
    string text8 = TextBox8.Text;
    string text9 = TextBox9.Text;


    if (pnAvailiable == 1)
    {
        SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["XMLConnectionString"].ConnectionString);
        con.Open();
        string str = "INSERT INTO XML (Part_Number, PowerMin_dBm_RoomTemp, PowerMax_dBm_RoomTemp, ERMin_dB_RoomTemp, ERMax_dB_RoomTemp, OMAMin_uW_RoomTemp, OMAMax_uW_RoomTemp, ModPowerConsumptionMin_W_RoomTemp, ModPowerConsumptionMax_W_RoomTemp) VALUES (" + text1 + "," + text2 + "," + text3 + "," + text4 + "," + text5 + "," + text6 + "," + text7 + "," + text8 + "," + text9 + ")";
        SqlCommand cmd = new SqlCommand(str, con);
        cmd.ExecuteNonQuery();
        con.Close();
        Response.Redirect(Request.RawUrl);
    }
}

我的数据库的数据类型定义为文本

问题是：

当Textbox1输入是一个整数时，它应该转换为字符串而text1是一个字符串。但是当插入到sql时，它报告错误为＆＃34; int与文本＆＃34;不兼容。并在＆＃34; cmd.ExecuteNonQuery（）;＆＃34;
我在数据库中为我的数据类型更改为varchar（50）。新问题是当我输入＆＃34; 6-1＆＃34;时，它首先运行并放入＆＃34; 5＆＃34;进入数据库。当我输入＆＃34; a-3＆＃34;时，它将报告错误。

实际上，我只想输入字符串并将字符串放入数据库。

请帮我弄清楚问题所在。请说明您的问题

Answer 1

protected void AddBtn_Click1(object sender, EventArgs e)
{

    string text1 = TextBox1.Text;
    string text2 = TextBox2.Text;
    string text3 = TextBox3.Text;
    string text4 = TextBox4.Text;
    string text5 = TextBox5.Text;
    string text6 = TextBox6.Text;
    string text7 = TextBox7.Text;
    string text8 = TextBox8.Text;
    string text9 = TextBox9.Text;


    if (pnAvailiable == 1)
    {
        SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["XMLConnectionString"].ConnectionString);
        con.Open();
        string str = "INSERT INTO XML (Part_Number, PowerMin_dBm_RoomTemp, PowerMax_dBm_RoomTemp, ERMin_dB_RoomTemp, ERMax_dB_RoomTemp, OMAMin_uW_RoomTemp, OMAMax_uW_RoomTemp, ModPowerConsumptionMin_W_RoomTemp, ModPowerConsumptionMax_W_RoomTemp) VALUES (@text1,@text2,@text3,@text4,@text5,@text6,@text7,@text8,@text9)";
        SqlCommand cmd = new SqlCommand(str, con);
        cmd.Parameters.AddWithValue("@text1", text1);
        cmd.Parameters.AddWithValue("@text2", text2);
        cmd.Parameters.AddWithValue("@text3", text3);
        cmd.Parameters.AddWithValue("@text4", text4);
        cmd.Parameters.AddWithValue("@text5", text5);
        cmd.Parameters.AddWithValue("@text6", text6);
        cmd.Parameters.AddWithValue("@text7", text7);
        cmd.Parameters.AddWithValue("@text8", text8);
        cmd.Parameters.AddWithValue("@text9", text9);
        cmd.ExecuteNonQuery();
        con.Close();
        Response.Redirect(Request.RawUrl);
    }
}

Answer 2

我建议您使用 Sql Parameter 而不是只加入字符串。像

   SqlCommand timeSlotCmd = new SqlCommand("delete from xxxxxx   where LeagueId=@LeagueId", conn, tran);
   command.Parameters.Add("@LeagueId", leagueIdValue);
   timeSlotCmd.ExecuteNonQuery();

Answer 3

由于您没有用单引号括起值，因此当遇到6-1时，它会从6中减去1。此意外行为是您的代码中存在严重安全漏洞的症状。您应该花一些时间熟悉SQL Injection个漏洞（目前在OWASP前10名列表中排名第一）。

幸运的是，正确的解决方案将解决您遇到的错误以及SQL Injection漏洞。

要解决这两个问题，请查看使用parameterized queries。使用参数化查询，您可以指定每个参数的数据类型（同时还可以防止恶意代码注入）。例如：

INSERT INTO XML (Part_Number, ......) VALUES (" + text1 + " ...

会变成

INSERT INTO XML (Part_Number, ......) VALUES (@PartNumber ...

这也更容易阅读恕我直言。您需要将参数添加到SqlCommand对象：

SqlParameter PartNumber = new SqlParameter("@PartNumber", SqlDbType.VarChar);
PartNumber.Value = "whatever...";
cmd.Parameters.Add(PartNumber);

希望这有帮助！

Answer 4

可能你需要添加参数。

 string str = "INSERT INTO XML (Part_Number, ...) VALUES (:text1, ...)";
 SqlCommand cmd = new SqlCommand(str, con);
 cmd.AddParam(":text1", DbType.Int, 1, ParameterDirection.Input);
 .....
 cmd.ExecuteNonQuery();
 con.Close();
 Response.Redirect(Request.RawUrl);

Answer 5

更改

string str = "INSERT INTO XML (Part_Number, PowerMin_dBm_RoomTemp, PowerMax_dBm_RoomTemp, ERMin_dB_RoomTemp, ERMax_dB_RoomTemp, OMAMin_uW_RoomTemp, OMAMax_uW_RoomTemp, ModPowerConsumptionMin_W_RoomTemp, ModPowerConsumptionMax_W_RoomTemp) VALUES (" + text1 + "," + text2 + "," + text3 + "," + text4 + "," + text5 + "," + text6 + "," + text7 + "," + text8 + "," + text9 + ")";

进入以下

"INSERT INTO XML (Part_Number, PowerMin_dBm_RoomTemp, PowerMax_dBm_RoomTemp, ERMin_dB_RoomTemp, ERMax_dB_RoomTemp, OMAMin_uW_RoomTemp, OMAMax_uW_RoomTemp, ModPowerConsumptionMin_W_RoomTemp, ModPowerConsumptionMax_W_RoomTemp) VALUES ('" + text1 + "','" + text2 + "','" + text3 + "','" + text4 + "','" + text5 + "','" + text6 + "','" + text7 + "','" + text8 + "','" + text9 + "')";

Answer 6

您的查询不正确，varchar应插入单个代码中（＆＃39;您的行的值＆＃39;）试试这个

string str = "INSERT INTO XML (Part_Number, PowerMin_dBm_RoomTemp, PowerMax_dBm_RoomTemp, ERMin_dB_RoomTemp, ERMax_dB_RoomTemp, OMAMin_uW_RoomTemp, OMAMax_uW_RoomTemp, ModPowerConsumptionMin_W_RoomTemp, ModPowerConsumptionMax_W_RoomTemp) VALUES ('" + text1 + "','" + text2 + "','" + text3 + "','" + text4 + "','" + text5 + "','" + text6 + "','" + text7 + "','" + text8 + "','" + text9 + "')";

c＃SQL数据类型和查询

6 个答案: