正确的更新语句c#

时间:2016-05-24 23:51:40

标签: c# asp.net visual-studio

我想知道我的Update SQL语句是否正确,因为我有一个表单,我想编辑一些数据。但是,由于任何原因,表单不保存更新,并且db中没有任何操作。

这是我的代码隐藏:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Data;

public partial class edit : System.Web.UI.Page
{
    SqlConnection con = new SqlConnection("Data Source=CASSIA-PC\\SQLEXPRESS;Initial Catalog=clientes;Integrated Security=True");

    protected void Page_Load(object sender, EventArgs e)
    {
        string v = Request.QueryString["id"];
        SqlCommand cmd = new SqlCommand("SELECT idCliente, nmCliente, fantasia, cpf, cep, logradouro, numero, complemento, bairro, cidade, estado, telefone, celular, insEstadual, insMunicipal, email, homePage, tbClientes.tpCliente, tbTipoClientes.idTipoCliente, tbTipoClientes.nmTipoCliente FROM tbClientes INNER JOIN tbTipoClientes ON tbClientes.tpCliente = tbTipoClientes.idTipoCliente WHERE idCliente = '" + v + "'", con);
        try
        {
            con.Open();
            using (var reader = cmd.ExecuteReader())
            {
                while (reader.Read()) {
                    txtId.Text = reader["idCliente"].ToString();
                    txtNome.Text = reader["nmCliente"].ToString();
                    txtFantasia.Text = reader["fantasia"].ToString();
                    txtCPF.Text = reader["cpf"].ToString();
                    txtCEP.Text = reader["cep"].ToString();
                    txtLogradouro.Text = reader["logradouro"].ToString();
                    txtNumero.Text = reader["numero"].ToString();
                    txtComplemento.Text = reader["complemento"].ToString();
                    txtBairro.Text = reader["bairro"].ToString();
                    txtCidade.Text = reader["cidade"].ToString();
                    txtEstado.Text = reader["estado"].ToString();
                    txtTelefone.Text = reader["telefone"].ToString();
                    txtCelular.Text = reader["celular"].ToString();
                    txtInscEstadual.Text = reader["insEstadual"].ToString();
                    txtInscMunicipal.Text = reader["insMunicipal"].ToString();
                    txtEmail.Text = reader["email"].ToString();
                    txtSite.Text = reader["homePage"].ToString();
                }
            }

            cmd.ExecuteNonQuery();
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.Message);
        }
        finally
        {
            con.Close();
        }

    }

    protected void btnEditar_Click(object sender, EventArgs e)
   {
        string v = Request.QueryString["id"];
        con.Open();
        SqlCommand cmd = new SqlCommand("UPDATE tbClientes SET nmCliente = '"+txtNome.Text+"', fantasia = '"+txtFantasia.Text+"', cpf = '"+txtCPF.Text+"', cep = '"+txtCEP.Text+"', logradouro = '"+txtLogradouro.Text+"', numero = '"+txtNumero.Text+"', complemento = '"+txtComplemento.Text+"', bairro = '"+txtBairro.Text+"', cidade = '"+txtCidade.Text+"', estado = '"+txtEstado.Text+"', telefone = '"+txtTelefone.Text+"', celular = '"+txtCelular.Text+ "', insEstadual = '"+txtInscEstadual.Text+"', insMunicipal = '"+txtInscMunicipal.Text+"', email = '"+txtEmail.Text+"', homePage = '"+txtSite.Text+"' WHERE idCliente = '" + v + "'", con);
        try
        {
            cmd.ExecuteNonQuery();
        }
        catch(Exception ex)
        {
           Console.WriteLine(ex.Message);
        }
        finally
        {
            con.Close();
        }
    }
}

2 个答案:

答案 0 :(得分:3)

我很确定你的问题是:

WHERE idCliente = '" + v + "'"

因为客户端ID很可能是数据库中的数字字段,所以您希望将其视为:

WHERE idCliente = " + v

Blorgbeard提到你需要使用参数化命令protect against an SQL Injection attack。这也将解决诸如包含撇号的文本框等问题,这些问题也会导致UPDATE失败。

答案 1 :(得分:0)

我同意Jeremy,如果更改为参数化查询,或者使用标签设置查询,复制查询并直接在SQL Server中测试,我也会更好。

string query = "Update..."

复制查询文本并直接在SQL Server中进行测试。