private void button2_Click(object sender, EventArgs e)
{
if (textBox1.Text != "")
{
try
{
con.ConnectionString = ConfigurationManager.ConnectionStrings["DeathWish"].ToString();
con.Open();
string query = string.Format("Select [ID],Decision from Data where [ID]='{0}' order by Decision", textBox1.Text);
SqlCommand cmd = new SqlCommand(query,con);
SqlDataReader dr = cmd.ExecuteReader();
string[] s = new string[] { };
while (dr.Read())
{
s = dr["Decision"].ToString().Split(',');
}
int length = s.Length;
for (int i = 0; i < length - 1; i++)
{
string fetr = s[i];
for (int j = 0; j <= checkedListBox1.Items.Count - 1; j++)
{
if (checkedListBox1.Items[j].ToString() == s[i])
{
checkedListBox1.SetItemChecked(j, true);
break;
}
}
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message + ex.ToString());
}
}
string query = string.Format("Select [ID],Decision from Data where [ID]='{0}' order by Decision", textBox1.Text);
是有错误的行。
编辑第2张图片*我想使用checkedboxlist
这是图片:
error msg i wanted to retrieve the data on the database and show the specific value
答案 0 :(得分:2)
所以有几件事:
考虑将您的数据库访问代码封装在using
块中,并使用您的连接字符串实例化新连接。这可以确保 - 通过错误或完成块 - 连接正确关闭并处理掉。
其次,如果您还在处理事务,那么在using语句中移动try / catch是很好的做法,因为您可以在catch
块中提交完成或回滚。
最后,从不使用字符串连接来构建查询,当您连接的数据源来自用户控件时(地狱,从不这样做)。到目前为止,SQL注入仍然是软件中OWASP的第一安全风险,需要将其压缩。
强制性阅读:
OWASP - 2017 report
SQL Injection - Wikipedia
SQL Injection - Technet
private void button2_Click(object sender, EventArgs e)
{
if (textBox1.Text != "")
{
// a SqlConnection enclosed in a `using` statement will auto-close, and will ensure other resources are correctly disposed
using(SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["DeathWish"].ToString()))
{
try
{
con.Open()
string[] s = new string[] { };
string query = "Select [ID],Decision from Data where [ID]=@id order by Decision";
SqlCommand cmd = new SqlCommand(query, con);
SqlParameter idParam = new SqlParameter();
idParam.ParameterName = "@id";
idParam.Value = textBox1.Text;
cmd.Parameters.Add(idParam);
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
s = dr["Decision"].ToString().Split(',');
}
int length = s.Length;
for (int i = 0; i < length - 1; i++)
{
string fetr = s[i];
for (int j = 0; j <= checkedListBox1.Items.Count - 1; j++)
{
if (checkedListBox1.Items[j].ToString() == s[i])
{
checkedListBox1.SetItemChecked(j, true);
break;
}
}
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message + ex.ToString());
}
}
}
}
答案 1 :(得分:-2)
您的连接(仍然)已打开,因此您必须检查它是否已关闭。如果是,您可以打开新连接。
所以试试这个:
private void button2_Click(object sender, EventArgs e)
{
if (textBox1.Text != "")
{
try
{
if(con.State == ConnectionState.Closed)
{
con.Open();
}
con.ConnectionString = ConfigurationManager.ConnectionStrings["DeathWish"].ToString();
string query = string.Format("Select [ID],Decision from Data where [ID]='{0}' order by Decision", textBox1.Text);
SqlCommand cmd = new SqlCommand(query,con);
SqlDataReader dr = cmd.ExecuteReader();
string[] s = new string[] { };
while (dr.Read())
{
s = dr["Decision"].ToString().Split(',');
}
int length = s.Length;
for (int i = 0; i < length - 1; i++)
{
string fetr = s[i];
for (int j = 0; j <= checkedListBox1.Items.Count - 1; j++)
{
if (checkedListBox1.Items[j].ToString() == s[i])
{
checkedListBox1.SetItemChecked(j, true);
break;
}
}
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message + ex.ToString());
}
}