我正在尝试将数据添加到访问数据库中,到目前为止,这就是我所拥有的。
try
{
connection.Open();
String dataInsert = "INSERT into ClientsT (FirstName, LastName, Address, Email, Phone, CellPhone, Notes) values('" + boxAddName.Text.ToString() + "', '" + boxAddLastName.Text + "', '" + boxAddAdress.Text + "', '" + boxAddEmail.Text + "', '" + boxAddPhone + "', '" + boxAddCellPhone + "','" + boxAddObs.Text + "')";
OleDbCommand command = new OleDbCommand(dataInsert, connection);
command.ExecuteNonQuery();
connection.Close();
MessageBox.Show("Client added,");
} catch(Exception ex){
MessageBox.Show("Error :" + ex);
}
}
它没有给我任何错误消息之王,代码执行得很好但没有添加到数据库中。
请注意,我对c#非常陌生,这是我第一次使用数据库。
答案 0 :(得分:0)
现在挂在那儿!
您正在引入一个潜在的灾难性安全漏洞。让我告诉你原因:
config.include Paperclip::Shoulda::Matchers特别是这些行:
String dataInsert = "INSERT into ClientsT (FirstName, LastName, Address, Email, Phone, CellPhone, Notes) values('" + boxAddName.Text.ToString() + "', '" + boxAddLastName.Text + "', '" + boxAddAdress.Text + "', '" + boxAddEmail.Text + "', '" + boxAddPhone + "', '" + boxAddCellPhone + "','" + boxAddObs.Text + "')";
您正在做的事情基本上是允许用户将他们想要的任何放入数据库。有了这个,用户可以插入他们想要的任何内容,甚至可以使用boxAddName.Text.ToString() // You're converting a string to a string, which is redundant. :P You are also missing a semicolon here.
boxAddLastName.Text
boxAddAdress.Text
boxAddEmail.Text
boxAddPhone // Not a security problem, but you're inserting the TextBox control, not it's text.
boxAddCellPhone // Same as above.
boxAddObs.Text
漏洞。你应该总是清理你的输入。
你可以这样做:
SQL injection你的问题很简单:
您尝试多次插入 string Query = "INSERT into ClientsT (FirstName, LastName, Address, Email, Phone, CellPhone, Notes) values(@FirstName, @LastName, @Address, @Email, @Phone, @CellPhone, @Notes)";
using (SqlConnection connection = new SqlConnection(ConnectionString))
using (SqlCommand cmd = new SqlCommand(Query))
{
connection.Open();
// Please make sure you edit the SqlDbType to the correct SQL Data Type. They are VarChar by default in this example. It's on you to fix that.
cmd.Parameters.Add("@FirstName", SqlDbType.VarChar) = boxAddName.Text;
cmd.Parameters.Add("@LastName", SqlDbType.VarChar) = boxAddLastName.Text;
cmd.Parameters.Add("@Address", SqlDbType.VarChar) = boxAddAddress.Text;
cmd.Parameters.Add("@Email", SqlDbType.VarChar) = boxAddEmail.Text;
cmd.Parameters.Add("@Phone", SqlDbType.VarChar) = boxAddPhone.Text;
cmd.Parameters.Add("@CellPhone", SqlDbType.VarChar) boxAddCellPhone.Text;
cmd.Parameters.Add("@Notes", SqlDbType.VarChar) = boxAddNotes.Text;
// Insert writing code here.
}
控件。查看TextBox和boxAddPhone:您需要使用boxAddCellphone,而不是TextBoxName.Text。所以它会抛出异常,因为你正在捕捉所有异常,你不会知道出了什么问题。它可能是任何东西。
最后,您还要添加TextBoxName,其中不与第一个boxAddObs语句一起插入。
答案 1 :(得分:0)
看起来像' boxAddPhone' &安培; ' boxAddCellPhone'缺少" .Text"