SQL 更新命令不起作用
Posted
技术标签:
【中文标题】SQL 更新命令不起作用【英文标题】:SQL update command not working 【发布时间】:2014-02-05 14:13:22 【问题描述】:我在 Asp.net 网站上创建了一个网页。下面的页面加载将在它从上一页获取参数时运行。该页面还具有用于编辑内容和更新数据库的选项。但是当单击按钮(保存)时,它不会更新数据库。请帮助。但是当页面加载中没有连接时,更新命令有效。
protected void Page_Load(object sender, EventArgs e)
String cust=Request.QueryString["custName"];
String env = Request.QueryString["env"];
SqlConnection cnn = new SqlConnection();
string connStr = ConfigurationManager.ConnectionStrings["cnn"].ConnectionString;
SqlDataAdapter adapter = new SqlDataAdapter();
cnn.ConnectionString = connStr;
cnn.Open();
view();
if (env == "Production")
DataSet MyDataSet = new DataSet();
adapter = new SqlDataAdapter("Select * from Customer_Production where Customer_Name=@cust", cnn);
SqlCommandBuilder m_cbCommandBuilder = new SqlCommandBuilder(adapter);
cnn.Close();
//SqlCommand cmd = new SqlCommand("Select * from Customer_Production where Customer_Name=@cust", cnn);
adapter.SelectCommand.Parameters.AddWithValue("@cust", cust);
adapter.Fill(MyDataSet, "Servers");
foreach (DataRow myRow in MyDataSet.Tables[0].Rows)
custName.Value = myRow["Customer_name"].ToString();
custMaintain.Value= myRow["Customer_Maintenance"].ToString();
serviceAffect.Value=myRow["Systems/Services_Affected"].ToString();
email_Content.Value= myRow["Email_Content"].ToString();
email_Signature.Value= myRow["Email_Signature"].ToString();
email_From.Value=myRow["Email_From"].ToString();
email_To.Value=myRow["Email_To"].ToString();
email_Cc.Value=myRow["Email_Cc"].ToString();
email_Bcc.Value=myRow["Email_Bcc"].ToString();
else
DataSet MyDataSet = new DataSet();
adapter = new SqlDataAdapter("Select * from Customer_Non_Production where Customer_Name=@cust", cnn);
SqlCommandBuilder m_cbCommandBuilder = new SqlCommandBuilder(adapter);
cnn.Close();
//SqlCommand cmd = new SqlCommand("Select * from Customer_Production where Customer_Name=@cust", cnn);
adapter.SelectCommand.Parameters.AddWithValue("@cust", cust);
adapter.Fill(MyDataSet, "Servers");
foreach (DataRow myRow in MyDataSet.Tables[0].Rows)
custName.Value = myRow["Customer_name"].ToString();
custMaintain.Value = myRow["Customer_Maintenance"].ToString();
serviceAffect.Value = myRow["Systems/Services_Affected"].ToString();
email_Content.Value = myRow["Email_Content"].ToString();
email_Signature.Value = myRow["Email_Signature"].ToString();
email_From.Value = myRow["Email_From"].ToString();
email_To.Value = myRow["Email_To"].ToString();
email_Cc.Value = myRow["Email_Cc"].ToString();
email_Bcc.Value = myRow["Email_Bcc"].ToString();
以下是保存按钮的按钮点击(用于更新命令)
protected void save_click(object sender, EventArgs e)
//Button Click Save
/* String id = "A";
SqlConnection cnn = new SqlConnection();
string connStr = ConfigurationManager.ConnectionStrings["cnn"].ConnectionString;
SqlDataAdapter adapter = new SqlDataAdapter();
cnn.ConnectionString = connStr;
cnn.Open();
String sql = String.Format("Update Customer_Production set Email_Signature='0' where Customer_Name like '1'",TextBox1.Text,id);
SqlCommand cmd = new SqlCommand(sql, cnn);
cmd.ExecuteNonQuery();
*/
String cust = "A";
SqlConnection cnn = new SqlConnection();
string connStr = ConfigurationManager.ConnectionStrings["cnn"].ConnectionString;
SqlDataAdapter adapter = new SqlDataAdapter();
cnn.ConnectionString = connStr;
cnn.Open();
if (env.Value == "Production")
//String sql = String.Format("Update Customer_Production set Customer_Maintenance='0',Environment='1',[Systems/Services_Affected]='2',Email_Content='3',Email_Signature='4',Email_To='5',Email_Cc='6',Email_Bcc='7',Email_From='8' where Customer_Name like '9' ", "custMaintain.Value","env.Value","serviceAffect.Value","email_Content.Value","email_To.Value","email_Cc.Value","email_Bcc.Value","email_From.Value", "cust");
String sql = String.Format("Update Customer_Production set Email_Signature='0' where Customer_Name like '1'", email_Signature.Value,cust);
SqlCommand cmd = new SqlCommand(sql, cnn);
cmd.ExecuteNonQuery();
else
【问题讨论】:
这里不是很明显,但可能是env.Value != "Production"
@Hogan 我需要生产这就是我检查的原因..
您的代码易受 SQL 注入攻击。看到这个en.wikipedia.org/wiki/SQL_injection
@ChetanGoenka - 我知道为什么你的代码是这样的 - 即使它是一个糟糕的设计。 (您应该使用不同的数据库进行生产,然后只需更改连接字符串——在两个地方使用相同的代码)。我的观点不同。您确定变量env.Value 在您的代码中被赋值为“Production”吗? IF NOT 这可以解释您的问题。
@Trifon 那么你能告诉我更好的更新方法吗?
【参考方案1】:
我不知道为什么在Page_Load 中建立连接(或不建立连接)会有所不同,但我认为有一件事情:
String.Format(
"Update Customer_Production set Email_Signature='0' where Customer_Name like '1'",
email_Signature.Value,
cust);
(我把它分成几行,因为我感兴趣的部分是格式字符串的最后一部分。)
您在该方法的前面已将cust 设置为“A”。因此,将产生的 SQL 将如下所示(最后):
... where Customer_Name like 'A'
除非您的客户名称与 A 完全相同,否则不会返回任何内容,因此不会更新任何记录。您忘记了“%”通配符。
我同意所有指出您的代码易受 SQL 注入攻击的人的观点(而且您还会遇到单引号问题),但只是为了向您展示它需要的样子,这里是通配符:
Update Customer_Production set Email_Signature='0' where Customer_Name like '1%'
【讨论】:
我有一个带有 A 的客户名称。我想测试它,所以我给它 A。但它本身不起作用。以上是关于SQL 更新命令不起作用的主要内容,如果未能解决你的问题,请参考以下文章