使用不起作用的会话更新数据库C#SQL

时间:2015-11-19 12:08:27

标签: c# sql sql-update session-variables sqlcommand

因此,我的代码将搜索讲师的userID和用户先前选择的ModuleID。但是它在这条线上打破了;

myCommand.ExecuteNonQuery();

错误是;

An exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll but was not handled in user code

Additional information: Incorrect syntax near '('.

我不知道为什么会这样做,但是当我使用断点时,我可以看到我的东西被拉过来了。

前端代码:

<asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:DefaultConnection %>" 
            SelectCommand="SELECT Lecturer_Records.UserID, Lecturer_Records.FirstName, Lecturer_Records.Surname, Lecturer_Records.PhoneNumber, Users.Email 
            FROM Lecturer_Records 
            INNER JOIN Users ON Lecturer_Records.UserID = Users.UserID 
            WHERE (Users.Email = @email)">
            <SelectParameters>
                <asp:QueryStringParameter Name="email" QueryStringField="searchlects" />
                <asp:SessionParameter Name="ModuleID" SessionField="ModuleID" Type="Int32" />
            </SelectParameters>
        </asp:SqlDataSource>




        <asp:GridView ID="SearchResult" runat="server" AutoGenerateColumns="False" AutoGenerateSelectButton="True"  DataSourceID="SqlDataSource1" OnSelectedIndexChanged="SearchResult_SelectedIndexChanged">
            <Columns>
                <asp:BoundField DataField="UserID" HeaderText="UserID" SortExpression="UserID" />
                <asp:BoundField DataField="FirstName" HeaderText="FirstName" SortExpression="FirstName" />
                <asp:BoundField DataField="Surname" HeaderText="Surname" SortExpression="Surname" />
                <asp:BoundField DataField="PhoneNumber" HeaderText="PhoneNumber" SortExpression="PhoneNumber" />
                <asp:BoundField DataField="Email" HeaderText="Email" SortExpression="Email" />
            </Columns>
        </asp:GridView>

我的C#代码

    protected void SearchResult_SelectedIndexChanged(object sender, EventArgs e)
    {

     // open new connection
        SqlConnection connection1 = new SqlConnection(ConfigurationManager.ConnectionStrings["DefaultConnection"].ConnectionString);
        connection1.Open();

        string SearchUser = SearchResult.SelectedRow.Cells[1].Text;
        string Module = (string)Session["ModuleID"];

        SqlCommand myCommand = new SqlCommand("UPDATE [Modules] SET (UserID = '" + SearchUser + "') WHERE (ModuleID = '" + Module + "')", connection1);


        myCommand.ExecuteNonQuery();
        // move on to home page
        Response.Redirect("APMDefault.aspx");
    }

1 个答案:

答案 0 :(得分:1)

您的命令中不需要任何()。他们打破你的SQL语法。只需删除它们。

但更重要的是,您应该始终使用parameterized queries。这种字符串连接对SQL Injection攻击开放。

根据您的列名称,它们似乎是一种数字类型。这意味着,您可能还需要删除单引号。如果你使用prepared statements,当然不需要这个。

并使用using语句来处置您的连接和命令。

using(var connection1 = new SqlConnection(ConfigurationManager.ConnectionStrings["DefaultConnection"].ConnectionString))
using(var myCommand = connection1.CreateCommand())
{
     myCommand.CommandText = @"UPDATE Modules SET UserID = @userid 
                               WHERE ModuleID = @moduleid";
     myCommand.Parameters.Add("@userid", SqlDbType.NVarChar).Value = SearchUser;   
     myCommand.Parameters.Add("@moduleid", SqlDbType.NVarChar).Value = Module;
     // I assumed your column types are nvarchar
     connection1.Open();
     myCommand.ExecutenonQuery();
     // move on to home page
     Response.Redirect("APMDefault.aspx");
}

确实,这些列似乎是数字类型。您可以输入他们的类型或更改他们的名称,将其类型指定为角色。