Asp.net 下拉列表的SQL字符串调整
我将尝试使用以下示例来澄清。在这里,我有两个下拉列表(ddlInsertEmployee+ddlInsertCustomer),它们都应该绑定到从表[Employee.EmployeeID]和[Customer.CustomerID]获取数据并将其插入表[Task]中 问题是它将Employee.Fullname和Customer.Fullname中的数据插入resp。Employee.EmployeeID和Customer.CustomerID。如果我将下拉列表更改为文本框,并手动插入ID,它就像一个符咒,但这不是很有效,我希望能够看到整个全名 我不知道如何更改我的Sqlstring以使其正确工作。我希望这有意义。非常感谢任何帮助Asp.net 下拉列表的SQL字符串调整,asp.net,sql,vb.net,Asp.net,Sql,Vb.net,我将尝试使用以下示例来澄清。在这里,我有两个下拉列表(ddlInsertEmployee+ddlInsertCustomer),它们都应该绑定到从表[Employee.EmployeeID]和[Customer.CustomerID]获取数据并将其插入表[Task]中 问题是它将Employee.Fullname和Customer.Fullname中的数据插入resp。Employee.EmployeeID和Customer.CustomerID。如果我将下拉列表更改为文本框,并手动插入ID,它
Imports System
Imports System.Collections.Generic
Imports System.Data
Imports System.Data.OleDb
Imports System.Data.SqlClient
Imports System.Web
Imports System.Web.UI
Imports System.Web.UI.WebControls
Imports System.Web.UI.WebControls.DropDownList
Protected Sub btnSubmit_Click(sender As Object, e As System.EventArgs) Handles btnSubmit.Click
Dim MyConn As OleDbConnection
Dim cmd As OleDbCommand
Dim Sqlstring, TaskDesc, TaskSolved, Employee, Customer, DateIn, DateOut, TaskHours As String
TaskDesc = txtTaskDesc.Text
TaskSolved = txtTaskSolved.Text
Employee = ddlInsertEmployee.Text
Customer = ddlInsertCustomer.Text
DateIn = txtDateReg.Text
DateOut = txtDateSolved.Text
TaskHours = txtHours.Text
MyConn = New OleDbConnection("Provider=Microsoft.ACE.OLEDB.12.0;Data Source=|DataDirectory|\DATABASE.accdb;")
MyConn.Open()
Sqlstring = "INSERT INTO Task (TaskDesc, TaskSolved, EmployeeID, CustomerID, DateIn, DateOut, TaskHours) VALUES ('" + TaskDesc + "', '" + TaskSolved + "', '" + Employee + "', '" + Customer + "', '" + DateIn + "', '" + DateOut + "', '" + TaskHours + "')"
cmd = New OleDbCommand(Sqlstring, MyConn)
cmd.ExecuteNonQuery()
MyConn.Close()
lblMessage.Text = "Task Added Successfully !!!"
End Sub
End Class
--------
Employee
<asp:DropDownList ID="ddlInsertEmployee" runat="server" AutoPostBack="True"
DataSourceID="SqlDataSource5" DataTextField="EmployeeFullName"
DataValueField="EmployeeFullName">
</asp:DropDownList>
<asp:SqlDataSource ID="SqlDataSource5" runat="server"
ConnectionString="<%$ ConnectionStrings:conntoDB %>"
ProviderName="<%$ ConnectionStrings:conntoDB.ProviderName %>"
SelectCommand="SELECT EmployeeFullName, EmployeeID FROM Employee">
</asp:SqlDataSource>
<br />
<br />
Customer <asp:DropDownList ID="ddlInsertCustomer" runat="server"
AutoPostBack="True" DataSourceID="SqlDataSource6"
DataTextField="CustomerFullName" DataValueField="CustomerFullName">
</asp:DropDownList>
<asp:SqlDataSource ID="SqlDataSource6" runat="server"
ConnectionString="<%$ ConnectionStrings:conntoDB %>"
ProviderName="<%$ ConnectionStrings:conntoDB.ProviderName %>"
SelectCommand="SELECT CustomerID, CustomerFullName FROM Customer">
</asp:SqlDataSource>
尝试将
DDInsertCustomer
的DataValueField
设置为CustomerID
(与员工下拉列表类似)。然后,您可以使用ddl.SelectedValue
属性保存到数据库中,但用户仍会看到name属性
另外,将文本框中的文本插入到SQL查询中是一个非常糟糕的主意,因为这会打开SQL注入的大门。使用SQL参数是一个非常好的主意。尝试将
ddlInsertCustomer
的DataValueField
设置为CustomerID
(与员工下拉列表类似)。然后,您可以使用ddl.SelectedValue
属性保存到数据库中,但用户仍会看到name属性
另外,将文本框中的文本插入到SQL查询中是一个非常糟糕的主意,因为这会打开SQL注入的大门。使用SQL参数是一个非常好的主意。Hah,它奏效了。明亮的非常感谢。我已经坐了好几个小时了!哈,成功了。明亮的非常感谢。我已经坐了好几个小时了!强制性评论;您不应该通过连接字符串来进行这样的SQL查询。使用参数化查询;您不应该通过连接字符串来进行这样的SQL查询。使用参数化查询。
Exception Details: System.Data.OleDb.OleDbException: Data type mismatch in criteria expression.
Source Error:
Line 60: Sqlstring = "INSERT INTO Task (TaskDesc, TaskSolved, EmployeeID, CustomerID, DateIn, DateOut, TaskHours) VALUES ('" + TaskDesc + "', '" + TaskSolved + "', '" + Employee + "', '" + Customer + "', '" + DateIn + "', '" + DateOut + "', '" + TaskHours + "')"
Line 61: cmd = New OleDbCommand(Sqlstring, MyConn)
[B]Line 62: cmd.ExecuteNonQuery() Line 63: MyConn.Close()[/B]
Line 64: lblMessage.Text = "Task Added Successfully !!!"
Source File: C:\Projekt\NewTask.aspx.vb Line: 62