ConnectionStrings错误c#

时间:2018-03-07 12:58:06

标签: c#

    private void button2_Click(object sender, EventArgs e)
    {
        if (textBox1.Text != "")
        {
            try
            {
                con.ConnectionString = ConfigurationManager.ConnectionStrings["DeathWish"].ToString();
                con.Open();
                string query = string.Format("Select [ID],Decision from Data where [ID]='{0}' order by Decision", textBox1.Text);
                SqlCommand cmd = new SqlCommand(query,con);
                SqlDataReader dr = cmd.ExecuteReader();
                string[] s = new string[] { };
                while (dr.Read())
                {
                    s = dr["Decision"].ToString().Split(',');
                }
                int length = s.Length;
                for (int i = 0; i < length - 1; i++)
                {
                    string fetr = s[i];
                    for (int j = 0; j <= checkedListBox1.Items.Count - 1; j++)
                    {
                        if (checkedListBox1.Items[j].ToString() == s[i])
                        {
                            checkedListBox1.SetItemChecked(j, true);
                            break;
                        }
                    }
                }
            }
            catch (Exception ex)
            {
                MessageBox.Show(ex.Message + ex.ToString());
            }
        }       

string query = string.Format("Select [ID],Decision from Data where [ID]='{0}' order by Decision", textBox1.Text);是有错误的行。 编辑第2张图片*我想使用checkedboxlist

检索数据库上的特定值

这是图片:

error msg i wanted to retrieve the data on the database and show the specific value

2 个答案:

答案 0 :(得分:2)

所以有几件事:

考虑将您的数据库访问代码封装在using块中,并使用您的连接字符串实例化新连接。这可以确保 - 通过错误或完成块 - 连接正确关闭并处理掉。

其次,如果您还在处理事务,那么在using语句中移动try / catch是很好的做法,因为您可以在catch块中提交完成或回滚。

最后,从不使用字符串连接来构建查询,当您连接的数据源来自用户控件时(地狱,从不这样做)。到目前为止,SQL注入仍然是软件中OWASP的第一安全风险,需要将其压缩。

强制性阅读:

OWASP - 2017 report
SQL Injection - Wikipedia
SQL Injection - Technet

private void button2_Click(object sender, EventArgs e)
{
    if (textBox1.Text != "")
    {
        // a SqlConnection enclosed in a `using` statement will auto-close, and will ensure other resources are correctly disposed
        using(SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["DeathWish"].ToString())) 
        {
            try
            {
                con.Open()
                string[] s = new string[] { };                    
                string query = "Select [ID],Decision from Data where [ID]=@id order by Decision";

                SqlCommand cmd = new SqlCommand(query, con);
                SqlParameter idParam = new SqlParameter();
                idParam.ParameterName = "@id";
                idParam.Value = textBox1.Text;
                cmd.Parameters.Add(idParam);

                SqlDataReader dr = cmd.ExecuteReader();

                while (dr.Read())
                {
                    s = dr["Decision"].ToString().Split(',');
                }
                int length = s.Length;
                for (int i = 0; i < length - 1; i++)
                {
                    string fetr = s[i];
                    for (int j = 0; j <= checkedListBox1.Items.Count - 1; j++)
                    {
                        if (checkedListBox1.Items[j].ToString() == s[i])
                        {
                            checkedListBox1.SetItemChecked(j, true);
                            break;
                        }
                    }
                }

            }
            catch (Exception ex)
            {
            MessageBox.Show(ex.Message + ex.ToString());
            }
        }
    }
}   

答案 1 :(得分:-2)

您的连接(仍然)已打开,因此您必须检查它是否已关闭。如果是,您可以打开新连接。

所以试试这个:

private void button2_Click(object sender, EventArgs e)
{
    if (textBox1.Text != "")
    {
        try
        {
            if(con.State == ConnectionState.Closed)
            {
                 con.Open();
            }
            con.ConnectionString = ConfigurationManager.ConnectionStrings["DeathWish"].ToString();


            string query = string.Format("Select [ID],Decision from Data where [ID]='{0}' order by Decision", textBox1.Text);
            SqlCommand cmd = new SqlCommand(query,con);
            SqlDataReader dr = cmd.ExecuteReader();
            string[] s = new string[] { };
            while (dr.Read())
            {
                s = dr["Decision"].ToString().Split(',');
            }
            int length = s.Length;
            for (int i = 0; i < length - 1; i++)
            {
                string fetr = s[i];
                for (int j = 0; j <= checkedListBox1.Items.Count - 1; j++)
                {
                    if (checkedListBox1.Items[j].ToString() == s[i])
                    {
                        checkedListBox1.SetItemChecked(j, true);
                        break;
                    }
                }
            }
        }
        catch (Exception ex)
        {
            MessageBox.Show(ex.Message + ex.ToString());
        }
    }