我是ASP.Net的新手,
我在从上一页传递UserID时从DB检索员工信息时遇到问题。 我从第1页的数据网格中选择时设法传递了userID,但是当加载第2页时,它给出了一个错误:列名无效'传递的字符串值'
下面是我的代码:
第1页:
protected void imgBtnView_Click(object sender,ImageClickEventArgs e)
{
ImageButton imgBtn = (ImageButton)sender;
string UserID = imgBtn.CommandArgument;
Response.Redirect("Employee.aspx?UserID=" + UserID);
}
第2页:
页面加载
protected void Page_Load(object sender, EventArgs e)
{
txtEmployeeNo.Text = Request.QueryString["UserID"];
FillFields(txtEmployeeNo.Text);
}
方法FillFields
private void FillFields(string User_ID)
{
String commandString = @"SELECT * FROM [dbo].[Tbl_Employee] WHERE
[UserID] = "+ User_ID;
DataRow dr = Global.StartQuery(commandString).Rows[0]; -- > global class
txtEmployeeNo.Text = User_ID;
txtFirstName.Text = dr["FirstName"].ToString();
txtLastName.Text = dr["LastName"].ToString();
}
请告诉我代码中的错误。
提前谢谢
答案 0 :(得分:2)
使用以下代码行。
String commandString = @"SELECT * FROM [dbo].[Tbl_Employee] WHERE
[UserID] = '"+User_ID+"'";
答案 1 :(得分:1)
您应该将此代码添加到Page_Load事件
if (!IsPostBack)
{
//Your operations
}
答案 2 :(得分:0)
非常不鼓励在浏览器网址中传递敏感信息。如果需要对信息进行散列或加密(建议加密)。可以使用而不是在查询字符串会话中传递值。虽然仍然可以劫持会话;会话可以被认为比url中的纯文本更安全。因此使用会话可以解决上述问题
protected void imgBtnView_Click(object sender, ImageClickEventArgs e)
{
ImageButton imgBtn = (ImageButton)sender;
//string UserID = imgBtn.CommandArgument; //just ignored intermediate value holder
Session["UserID"] = imgBtn.CommandArgument;
Response.Redirect("Employee.aspx");
}
protected void Page_Load(object sender, EventArgs e)
{
if(!IsPostBack) //Do stuff only during page first load.
{
//Check if session is null.
string userId = Session["UserID"]==null? String.Empty : Session["UserID"].ToString();
txtEmployeeNo.Text = userId;
if(!String.IsNullOrEmpty(userId))
{
FillFields(userId);
}
}
}
//This method should return datatable or DataRow and avoid setting control value.
//Returing datatable or DataRow makes this method more reusable.
private void FillFields(string User_ID)
{
//This way of execuring sql query is highly discourage.
//You should use parametrized sql command or use store procedure.
String commandString = @"SELECT * FROM [dbo].[Tbl_Employee] WHERE
[UserID] = '"+ User_ID + "'";
DataRow dr = Global.StartQuery(commandString).Rows[0]; -- > global class
txtEmployeeNo.Text = User_ID;
txtFirstName.Text = dr["FirstName"].ToString();
txtLastName.Text = dr["LastName"].ToString();
}
Page_Load和方法的变化很少。
protected void Page_Load(object sender, EventArgs e)
{
if(!IsPostBack) //Do stuff only during page first load.
{
//Check if session is null.
string userId = Session["UserID"]==null? String.Empty : Session["UserID"].ToString();
txtEmployeeNo.Text = userId;
if(!String.IsNullOrEmpty(userId))
{
DataRow dr = FillFields(userId);
txtEmployeeNo.Text = User_ID;
txtFirstName.Text = dr["FirstName"].ToString();
txtLastName.Text = dr["LastName"].ToString();
}
}
}
private DataRow FillFields(string User_ID)
{
//This way of execuring sql query is highly discourage.
//You should use parametrized sql command or use store procedure.
String commandString = @"SELECT * FROM [dbo].[Tbl_Employee] WHERE
[UserID] = '"+ User_ID + "'";
DataRow dr = Global.StartQuery(commandString).Rows[0]; -- > global class
return dr;
}
当传递无效的UserID时,仍然可以通过异常FillFields。假设UserId值为5并且该用户ID没有记录,那么FillFields将不会返回datarow
DataRow dr = Global.StartQuery(commandString).Rows[0];
//will throw exception as you are trying to access first row
//where row are not available. You must handle this scenario.