当尝试通过Visual Studio 2017连接到SQL Server数据库时,我一直收到空引用。下面是引用的位置以及它如何尝试连接以收集数据。请帮忙!谢谢!。
Profile.aspx
protected void updateProfile(object sender, EventArgs e)
{
// Database entry
string message = "Your information has been updated accoridngly!<br><br>";
double number;
if (txtName.Text.Equals("") || ddlDegree.SelectedValue.Equals("") || txtExperience.Text.Equals("") || !Double.TryParse(txtExperience.Text, out number) || txtSalary.Text.Equals("") || txtStreet.Text.Equals("") || txtCity.Text.Equals("") || txtState.Text.Equals("") || txtZipcode.Text.Equals(""))
{
message += "However:<br>There was an error found in your entry fields, resulting in a failure to store field information. Make sure that all fields are filled and that the Experience field is a double value.";
}
else
{
**myDataLayer.updateStaff(Session["userid"].ToString(), txtName.Text, ddlDegree.SelectedValue, txtExperience.Text, txtSalary.Text, txtStreet.Text, txtCity.Text, txtState.Text, txtZipcode.Text);** - **Null Reference**
}
这是需要引用的数据层类:
string _ConString = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
SqlConnection con;
SqlDataAdapter sda = new SqlDataAdapter();
SqlCommand cmd = new SqlCommand();
SqlDataReader data;
// Handles updating staff info
public bool updateStaff(string userid, string full_name, string degree, string experience, string salary, string street, string city, string state, string zipcode)
{
try
{
con = new SqlConnection(_ConString);
con.Open();
cmd = new SqlCommand();
cmd.Connection = con;
cmd.CommandText = "UPDATE staff SET [full_name] = '" + full_name + "', [degree] = '" + degree + "', [experience] = '" + experience + "', [salary] = '" + salary + "', [street] = '" + street + "', [city] = '" + city + "', [state] = '" + state + "', [zipcode] = '" + zipcode + "' WHERE userid = '" + userid + "'";
cmd.ExecuteNonQuery();
con.Close();
return true;
}
catch (OleDbException e)
{
System.Diagnostics.Debug.WriteLine(e.ToString());
}
finally
{
con.Close();
}
return false;
}
答案 0 :(得分:0)
您的验证是微弱的,并且永远不要在不参数化它们的情况下构建用于插入,更新,删除的sql命令。您很容易使用SQL-INJECTION。
首先,基本验证。通过使用IsNullOrWhiteSpace,您可以防止以null开头(因此会出现错误),而且可以防止SQL注入。
if( string.IsNulllOrWhiteSpace( txtName.Text )
|| string.IsNullOrWhiteSpace( ddlDegree.SelectedValue )
… )
message back about failed values
现在是SQL。用户参数。如果您使用O'Connor这个名字,会发生什么。第一个引号会终止您的字符串单引号平衡。
cmd.Connection = con;
cmd.CommandText =
@"UPDATE staff SET
full_name = @parmFullName,
degree = @parmDegree,
experience = @parmExperience,
salary = @parmSalary,
street = @parmStreet,
city = @parmCity,
state = @parmState,
zipcode = @parmZIP,
where
userid = @parmUserID";
// pulling the parameters from the parameters you pass to your UpdateStaff() call
cmd.Parameters.AddWithValue( "parmFullName", full_name );
cmd.Parameters.AddWithValue( "parmDegree", degree );
cmd.Parameters.AddWithValue( "parmExperience", experience );
cmd.Parameters.AddWithValue( "parmSalary", salary );
cmd.Parameters.AddWithValue( "parmStreet", street);
cmd.Parameters.AddWithValue( "parmCity", city );
cmd.Parameters.AddWithValue( "parmState", state );
cmd.Parameters.AddWithValue( "parmZIP", zipcode );
cmd.Parameters.AddWithValue( "parmUserID", userid );
因此,在大多数情况下,你应该都很好。没有Null值,没有不匹配的单引号字符串。这并不是验证的终极方法,但是您绝对应该阅读有关SQL注入和数据清除的更多信息。
在我的示例中,我在参数中明确添加了前缀“ parm”,以区分要使用的实际值。
此外,如果数据列是日期,整数,双精度,字符串,则让它们保持预期的类型。参数将正确传递。