C#代码:
string d;
d = "did" + mission.Text;
int p = 0;
var command = string.Format("SELECT {0} FROM [User] WHERE Username = @name", d);
using (SqlCommand cBd = new SqlCommand(command, c))
{
cBd.Parameters.AddWithValue("@name", txtuser.Text);
c.Open();
p = (int)cBd.ExecuteScalar();
c.Close();
}
p++;
SqlCommand cmd = new SqlCommand("UPDATE [User] SET @mission = @par WHERE Username = @name",c);
cmd.Parameters.AddWithValue("@mission", d);
cmd.Parameters.AddWithValue("@par",p);
cmd.Parameters.AddWithValue("@name", txtuser.Text);
c.Open();
cmd.ExecuteNonQuery();
c.Close();
错误:
类型' System.InvalidCastException'的例外情况发生在 App_Web_sazkdh0g.dll但未在用户代码中处理
其他信息:指定的演员表无效。
答案 0 :(得分:0)
正确的代码:
// In a using statement, acquire the SqlConnection as a resource.
using (SqlConnection con = new SqlConnection(connectionString))
{
//
// Open the SqlConnection.
//
con.Open();
//
// The following code uses an SqlCommand based on the SqlConnection.
//
string d;
d = "did" + mission.Text;
int p = 0;
var command = string.Format("SELECT {0} FROM [User] WHERE Username = @name", d);
using (SqlCommand cmd = new SqlCommand(command, con))
{
cmd.Parameters.AddWithValue("@name", txtuser.Text);
p = (int)cmd.ExecuteScalar();
}
command = string.Format("UPDATE [User] SET {0} = @par WHERE Username = @name", d);
using (SqlCommand cmd = new SqlCommand(command, con))
{
cmd.Parameters.AddWithValue("@par", p);
cmd.Parameters.AddWithValue("@name", txtuser.Text);
cmd.ExecuteNonQuery();
}
}
sql injection
string.Format