protected void ImageButton2_Click(object sender, ImageClickEventArgs e)
{
string loginID = (String)Session["UserID"];
string ID = txtID.Text;
string password = txtPassword.Text;
string name = txtName.Text;
string position = txtPosition.Text;
int status = 1;
string createOn = validate.GetTimestamp(DateTime.Now); ;
string accessRight;
if (RadioButton1.Checked)
accessRight = "Administrator";
else
accessRight = "Non-administrator";
if (txtID.Text != "")
ClientScript.RegisterStartupScript(this.GetType(), "yourMessage", "alert('" + ID + "ha " + password + "ha " + status + "ha " + accessRight + "ha " + position + "ha " + name + "ha " + createOn + "');", true);
string sqlcommand = "INSERT INTO USERMASTER (USERID,USERPWD,USERNAME,USERPOISITION,USERACCESSRIGHTS,USERSTATUS,CREATEDATE,CREATEUSERID) VALUES ("+ ID + "," + password + "," + name + "," + position + "," + accessRight + "," + status + "," + createOn + "," +loginID+ ")";
readdata.updateData(sqlcommand);
}
我正在将sqlcommand传递给execute_的readdata类,并且它抛出了这个错误..
ORA-00917:缺少逗号
描述:执行期间发生了未处理的异常 当前的网络请求。请查看堆栈跟踪了解更多信息 有关错误的信息以及它在代码中的起源。
异常详细信息:System.Data.OleDb.OleDbException:ORA-00917: 缺少逗号。
readdata类函数代码如下。
public void updateData(string SqlCommand)
{
string strConString = ConfigurationManager.ConnectionStrings["SOConnectionString"].ConnectionString;
OleDbConnection conn = new OleDbConnection(strConString);
OleDbCommand cmd = new OleDbCommand(SqlCommand, conn);
OleDbDataAdapter daPerson = new OleDbDataAdapter(cmd);
conn.Open();
cmd.ExecuteNonQuery();
}
答案 0 :(得分:1)
鉴于您的大多数列都是可变长度字符,因此必须将它们括在单引号中。 所以,而不是:
string sqlcommand = "INSERT INTO myTable (ColumnName) VALUES (" + InputValue + ")";
你至少需要这个:
string sqlcommand = "INSERT INTO myTable (ColumnName) VALUES ('" + InputValue + "')";
对于" foo"的InputValue,第一个语句的结果将是:
INSERT INTO myTable(ColumnName)VALUES(foo)
会导致语法错误。
第二个语句的格式正确,如:
INSERT INTO myTable(ColumnName)VALUES(' foo')
此外,此代码似乎使用用户直接输入的值,txtID,txtPassword等。这是一个SQL注入攻击向量。您的输入需要转义。理想情况下,您应该在这里使用参数化查询。
这似乎是c#。请相应更新您的代码。 无论如何,如果它是.Net,这里有一些关于参数化查询的更多信息:
答案 1 :(得分:0)
试试这个
string sqlcommand = "INSERT INTO USERMASTER (USERID,USERPWD,USERNAME,USERPOISITION,USERACCESSRIGHTS,USERSTATUS,CREATEDATE,CREATEUSERID) VALUES ('"+ ID + "','" + password + "','" + name + "','" + position + "','" + accessRight + "','" + status + "','" + createOn + "','" +loginID+ "')";
答案 2 :(得分:0)
连接查询并执行它不会被推荐,因为它可能会导致强大的SQl注入。假设这些参数中的任何一个包含逗号(,),如USERPWD=passwo',rd,则查询将以逗号分隔为passwo和rd。这可能是个问题
建议您使用“Parameterized queries to prevent SQL Injection Attacks in SQL Server”并希望它能解决您的问题。
您的代码可以按如下方式重写
protected void ImageButton2_Click(object sender, ImageClickEventArgs e)
{
string loginID = (String)Session["UserID"];
string ID = txtID.Text;
string password = txtPassword.Text;
string name = txtName.Text;
string position = txtPosition.Text;
int status = 1;
string createOn = validate.GetTimestamp(DateTime.Now); ;
string accessRight;
if (RadioButton1.Checked)
accessRight = "Administrator";
else
accessRight = "Non-administrator";
if (txtID.Text != "")
ClientScript.RegisterStartupScript(this.GetType(), "yourMessage", "alert('" + ID + "ha " + password + "ha " + status + "ha " + accessRight + "ha " + position + "ha " + name + "ha " + createOn + "');", true);
string strQuery;
OleDbCommand cmd;
strQuery = "INSERT INTO USERMASTER(USERID,USERPWD,USERNAME,USERPOISITION,USERACCESSRIGHTS,USERSTATUS,CREATEDATE,CREATEUSERID) VALUES(@ID,@password,@name,@position,@accessRight,@status,@createOn,@loginID)";
cmd = new OleDbCommand(strQuery);
cmd.Parameters.AddWithValue("@ID", ID);
cmd.Parameters.AddWithValue("@password", password);
cmd.Parameters.AddWithValue("@name", name);
cmd.Parameters.AddWithValue("@position", position);
cmd.Parameters.AddWithValue("@accessRight", accessRight);
cmd.Parameters.AddWithValue("@status", status);
cmd.Parameters.AddWithValue("@createOn", createOn);
cmd.Parameters.AddWithValue("@loginID", loginID);
bool isInserted = readdata.updateData(cmd);
}
重写您的updateData数据,如下所示
private Boolean updateData(OleDbCommand cmd)
{
string strConString = ConfigurationManager.ConnectionStrings["SOConnectionString"].ConnectionString;
OleDbConnection conn = new OleDbConnection(strConString);
cmd.CommandType = CommandType.Text;
cmd.Connection = con;
try
{
con.Open();
cmd.ExecuteNonQuery();
return true;
}
catch (Exception ex)
{
Response.Write(ex.Message);
return false;
}
finally
{
con.Close();
con.Dispose();
}
}