我有一个连接到我的数据库,我可以检索数据没有问题,但我无法插入。警报也没有被显示,所以我确信查询没有被执行,它只是重定向到aspx页面。我尝试过许多不同的解决方案,但我认为问题不在我所寻找的地方。这是密码,希望有人能帮上忙。
代码隐藏:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.IO;
using System.Data.SqlClient;
using System.Configuration;
using System.Data;
using System.Threading;
using System.Threading.Tasks;
namespace Childrens.Admin
{
public partial class WebForm1 : System.Web.UI.Page
{
protected void btnViewStaff_ServerClick(object sender, EventArgs e)
{
divAddStaff.Visible = false;
staffGridView.Visible = true;
}
protected void btnAddNewStaff_ServerClick(object sender, EventArgs e)
{
staffGridView.Visible = false;
divAddStaff.Visible = true;
}
protected void btnSubmitStaff_ServerClick(object sender, EventArgs e)
{
if (txtPassword == txtCPassword)
{
using (SqlConnection addStaffConn = new SqlConnection(ConfigurationManager.ConnectionStrings["myConn"].ToString()))
{
try
{
addStaffConn.Open();
string query = "INSERT INTO [Staff] (staff_fname,staff_sname,staff_email,staff_pass) VALUES ('" + txtFName + "','" + txtSName + "','" + txtEmail + "','" + txtPassword+"')"; //(@fname,@sname,@email,@pass)";
SqlDataAdapter staffAdapter = new SqlDataAdapter();
SqlCommand addStaffCommand = new SqlCommand(query, addStaffConn);
/*addStaffCommand.Parameters.AddWithValue("@fname", txtFName);
addStaffCommand.Parameters.AddWithValue("@sname", txtSName);
addStaffCommand.Parameters.AddWithValue("@email", txtEmail);
addStaffCommand.Parameters.AddWithValue("@pass", txtPassword);*/
staffAdapter.InsertCommand = addStaffCommand;
staffAdapter.InsertCommand.ExecuteNonQuery();
addStaffConn.Close();
Response.Write(String.Format("<script>alert('The entry was successful!');window.location='{0}';</script>", "URL=staff.aspx"));
}
catch (Exception ex)
{
Response.Write(String.Format("<script>alert('The entry was successful!');window.location='{0}';</script>", "URL=staff.aspx"));
}
finally
{
if (addStaffConn.State == System.Data.ConnectionState.Open)
{
addStaffConn.Close();
}
addStaffConn.Dispose();
}
}
}
}
}
}web.config文件:
<?xml version="1.0" encoding="utf-8"?>
<!--
For more information on how to configure your ASP.NET application, please
visit
https://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<appSettings>
<add key="ValidationSettings:UnobtrusiveValidationMode" value="None" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.6.1"/>
<httpRuntime targetFramework="4.6.1"/>
</system.web>
<system.codedom>
<compilers>
<compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.8.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701"/>
<compiler language="vb;vbs;visualbasic;vbscript" extension=".vb"
type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider,
Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.8.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35"
warningLevel="4" compilerOptions="/langversion:default /nowarn:41008
/define:_MYTYPE=\"Web\" /optionInfer+"/>
</compilers>
</system.codedom>
<connectionStrings>
<add name="myConn" connectionString="server=localhost;user
id=root;persistsecurityinfo=True;database=childrens" />
<add name="childrensConnectionString"
connectionString="server=localhost;user id=root;password=password;persistsecurityinfo=True;database=childrens;allowuservariables=True"
providerName="MySql.Data.MySqlClient" />
</connectionStrings>
</configuration>
1条答案
按热度按时间7ivaypg91#
您应该使用mysql的.net连接器,而不是用于ms sql server的库。而且,数据适配器往往更多地用于数据表和类似的东西;对于您的需要,仅仅执行“command”对象就足够了。
每个人都提到的安全漏洞是,您的查询(最多)会破坏第二个“fname”、“sname”等。。。包含一个或多个撇号;您应该研究参数化查询以避免此类问题。
编辑:还有,
[以及]是microsoft数据库(ms sql server和ms access)的字段分隔符;(在~键上)由mysql使用。 编辑#2:漏洞示例:INSERT INTO [Staff] (staff_fname,staff_sname,staff_email,staff_pass) VALUES ('" + txtFName + "','" + txtSName + "','" + txtEmail + "','" + txtPassword+"')"用户输入他们的名字作为O','','','then'), ('they', 'can', 'add', 'multiple'), ('users','or','possibly','worse'), ('without','even','causing','an'), ('error`