我正在努力想要弄清楚如何做到这一点。我试图从文本框输入允许管理员更新Archive_Decade_Tbl中的数据,如果他们选择添加照片,则在Archive_Image_Tbl中插入一行。我有更新查询工作,但我不能为我的生活得到插入工作。请注意我对此非常陌生,所以我的代码可能看起来很恶心,我现在也不担心安全性所以我知道它很容易受到SQL注入但是请帮助我
以下是更新功能的代码:
protected void update_Clicked(object sender, EventArgs e){
string connectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=" + Server.MapPath("~\\database\\ARCHIVE_MASTER_DATABASE.accdb") + "; Persist Security Info=False;";
DataSet infoDs = new DataSet();
OleDbDataAdapter OleDbAdapter;
classMe.Attributes.Add("class", "productInfoContainerNoFloat");
string cmd1 = @"Select * From ARCHIVE_DECADE_TBL WHERE ARCHIVE_ID_NUMBER=@buttonClicked";
string cmd2 = @"Select * From ARCHIVE_IMAGE_TBL WHERE ARCHIVE_ID_NUMBER=@buttonClicked";
OleDbConnection dbConn = new OleDbConnection(connectionString);
try
{
dbConn.Open();
OleDbAdapter = new OleDbDataAdapter(cmd1, dbConn);
OleDbAdapter.SelectCommand.Parameters.Add("@buttonClicked", OleDbType.Integer).Value = archiveIdNumber.InnerText.Substring(33);
OleDbAdapter.Fill(infoDs, "First Table");
OleDbAdapter.SelectCommand.CommandText = cmd2;
OleDbAdapter.Fill(infoDs, "Second Table");
OleDbAdapter.Dispose();
string cmdString = "Update ARCHIVE_DECADE_TBL Set PRODUCT_NAME='" + Request.Form["nameBox"] + "', MODEL_NUMBER='" + Request.Form["modelBox"] + "', YEAR_INTRODUCED='" + Request.Form["startBox"] + "', YEAR_DISCONTINUED='" + Request.Form["endBox"] + "', PRODUCT_LINE='" + Request.Form["lineBox"] + "', LOCATION='" + Request.Form["locationBox"] + "', QUANTITY='" + int.Parse(Request.Form["quantityBox"]) + "' " +
"Where ARCHIVE_ID_NUMBER=" + int.Parse(Request.Form["archiveBox"]);
OleDbAdapter.UpdateCommand = new OleDbCommand(cmdString, dbConn);
OleDbAdapter.UpdateCommand.ExecuteNonQuery();
dbConn.Close();
if (addPhotos.HasFiles)
{
//cmdString = "Update ARCHIVE_DECADE_TBL Set PRODUCT_NAME='" + Request.Form["nameBox"] + "', MODEL_NUMBER='" + Request.Form["modelBox"] + "', YEAR_INTRODUCED='" + Request.Form["startBox"] + "', YEAR_DISCONTINUED='" + Request.Form["endBox"] + "', PRODUCT_LINE='" + Request.Form["lineBox"] + "', LOCATION='" + Request.Form["locationBox"] + "' " +
//"Where ARCHIVE_ID_NUMBER=" + int.Parse(Request.Form["archiveBox"]);
var x = 0;
if (!System.IO.Directory.Exists(Server.MapPath("includes/images/archives/" + Request.Form["archiveBox"] + "_1")))
{
System.IO.Directory.CreateDirectory(Server.MapPath("includes/images/archives/" + Request.Form["archiveBox"] + "_1"));
}
String filePath = Server.MapPath("includes/images/archives/" + Request.Form["archiveBox"] + "_1");
HttpFileCollection uploadedFiles = Request.Files;
for (int i = 0; i < uploadedFiles.Count; i++)
{
HttpPostedFile userPostedFile = uploadedFiles[i];
if (userPostedFile.ContentLength > 0)
{
string extension = Path.GetExtension(userPostedFile.FileName);
//Request.Form["archiveBox"] + "_" + i will be the same as the "IMAGE" column in the IMAGE_TBL
uploadedFiles[i].SaveAs(filePath + "/" + Request.Form["archiveBox"] + "_" + (i + 1) + extension);
}
x++;
}
OleDbConnection dbConn2 = new OleDbConnection(connectionString);
OleDbDataAdapter OleDbAdapter2;
DataSet infoDs2 = new DataSet();
try
{
dbConn2.Open();
OleDbAdapter2 = new OleDbDataAdapter(cmd1, dbConn);
string cmdString2 = "INSERT INTO ARCHIVE_IMAGE_TBL (ARCHIVE_ID_NUMBER, MODEL_NUMBER, LOCATION, IMAGE, NUMBER_OF_IMAGES, IMAGE_FILE_TYPE) VALUES ('" + Request.Form["archiveBox"].ToString() + "', '" + Request.Form["modelBox"].ToString() + "', '" + Request.Form["locationBox"].ToString() + "', '" + Request.Form["archiveBox"].ToString() + "_1" + "', '" + uploadedFiles.Count.ToString() + "', 'jpg');";
testLbl.InnerText = cmdString2;
OleDbAdapter2.InsertCommand = new OleDbCommand(cmdString2, dbConn2);
OleDbAdapter2.InsertCommand.ExecuteNonQuery();
}
catch (Exception ex)
{
}
}
}
catch (Exception ex)
{
}
}
现在我得到的是我的Insert Into语句中存在语法错误,但我不知道为什么因为我将字符串打印到标签中,将其复制/粘贴到Access中并且它完全符合我的要求< / p>
答案 0 :(得分:1)
语法错误是由名为IMAGE的列引起的。这是MS-Access的保留关键字,如果您在代码中使用 ,则需要在方括号之间封装该名称。
因此,插入查询的开头应写为
string cmdString2 = @"INSERT INTO ARCHIVE_IMAGE_TBL (ARCHIVE_ID_NUMBER,
MODEL_NUMBER, LOCATION, [IMAGE], NUMBER_OF_IMAGES, IMAGE_FILE_TYPE)
VALUES ( .......)";
说,请考虑立即切换到参数化查询,因为您只是处于隐式转换和解析问题导致的一系列可能语法错误的开始。和Sql Injection黑客
所以例如
string cmdString2 = @"INSERT INTO ARCHIVE_IMAGE_TBL (ARCHIVE_ID_NUMBER,
MODEL_NUMBER, LOCATION, [IMAGE], NUMBER_OF_IMAGES, IMAGE_FILE_TYPE)
VALUES (@id, @num, @loc, @img, @imgnum, 'jpg')";
OleDbCommand cmd = new OleDbCommand(cmdString2, con1);
cmd.Parameters.Add("@id", OleDbType.VarWChar).Value = Request.Form["archiveBox"].ToString();
... and so on for the other parameters placeholders
cmd.ExecuteNonQuery();
请记住为参数使用正确的数据类型。如果列需要一个整数,则创建一个OleDbType.Integer的参数并将该值设置为整数,对于日期和浮点数也是如此。
顺便说一句,要执行命令,您不需要OleDbDataAdapter。
答案 1 :(得分:0)
这意味着在这里使用dbConn2,就在你的插入语句之上吗?
...
dbConn2.Open();
OleDbAdapter2 = new OleDbDataAdapter(cmd1, dbConn); // <-- here
string cmdString2 = "INSERT INTO ARCHIVE_IMAGE_TBL (ARCHIVE_ID_NUMBER, MODEL_NUMBER, LOCATION, IMAGE, NUMBER_OF_IMAGES, IMAGE_FILE_TYPE) VALUES ('" + Request.Form["archiveBox"].ToString() + "', '" + Request.Form["modelBox"].ToString() + "', '" + Request.Form["locationBox"].ToString() + "', '" + Request.Form["archiveBox"].ToString() + "_1" + "', '" + uploadedFiles.Count.ToString() + "', 'jpg');";
...
另外,我知道你提到过,但请使用参数来消除SQL注入的风险。你也想要处理你的一次性课程(连接,命令等)。