C# 使用ASP.NET更新SQL Server数据库中的记录
我是ASP.NET新手,在ASP.NET中更新数据库中的记录时遇到了一些困难。我的代码没有显示错误,但记录仍然没有更新。我正在使用SQL Server 2012 代码如下:C# 使用ASP.NET更新SQL Server数据库中的记录,c#,asp.net,sql-server,C#,Asp.net,Sql Server,我是ASP.NET新手,在ASP.NET中更新数据库中的记录时遇到了一些困难。我的代码没有显示错误,但记录仍然没有更新。我正在使用SQL Server 2012 代码如下: protected void Page_Load(object sender, EventArgs e) { if (Session["user"] != null) { con.Open(); string query = "Select * from Custome
protected void Page_Load(object sender, EventArgs e)
{
if (Session["user"] != null)
{
con.Open();
string query = "Select * from Customers where UserName ='" + Session["user"] + "'";
SqlCommand cmd = new SqlCommand(query, con);
SqlDataReader reader = cmd.ExecuteReader();
if (reader.Read())
{
txt_name.Text = reader["CustName"].ToString();
txt_phonenumber.Text = reader["Contact"].ToString();
txt_address.Text = reader["CustAddress"].ToString();
txt_cardnum.Text = reader["CustAccountNo"].ToString();
txt_city.Text = reader["CustCity"].ToString();
txt_emailaddress.Text = reader["Email"].ToString();
txt_postalcode.Text = reader["CustPOBox"].ToString();
Cnic.Text = reader["CustCNIC"].ToString();
}
con.Close();
}
else
{
Response.Redirect("Login.aspx");
}
}
protected void BtnSubmit_Click(object sender, EventArgs e)
{
con.Open();
SqlCommand cmd2 = con.CreateCommand();
SqlCommand cmd1 = con.CreateCommand();
cmd1.CommandType = CommandType.Text;
cmd1.CommandText = "Select CustID from Customers where UserName = '" + Session["user"] + "'";
int id = Convert.ToInt32(cmd1.ExecuteScalar());
cmd2.CommandType = CommandType.Text;
cmd2.CommandText = "update Customers set CustName='" + txt_name.Text + "',CustCNIC='" + Cnic.Text + "',Email='" + txt_emailaddress.Text + "',CustAccountNo='" + txt_cardnum.Text + "',CustAddress='" + txt_address.Text + "',CustPOBox='" + txt_postalcode.Text + "' where CustID='" + id + "'";
cmd2.ExecuteNonQuery();
con.Close();
}
非常感谢您的帮助。谢谢
调试后,我得到的结果是
这里的帐号和POBOX为0,地址为空字符串。但是我已经填充了文本字段要解决这个问题,首先要使用好的ADO技术,使用SqlParameters作为传入的值;而不是将字符串连接在一起的高风险SQL注入方法 第一部分就是这样。我添加了int-sqlRA变量来读取非查询的结果,这将返回受查询影响的行。这包含在一个简单的try…catch例程中,用于在出现任何错误时将值设置为负1。其他错误处理由您决定。这使您的代码看起来像这样:
cmd1.Parameters.AddWithValue("@SessionUser", Session["User"]);
int id = Convert.ToInt32(cmd1.ExecuteScalar());
cmd2.CommandType = CommandType.Text;
cmd2.CommandText = "UPDATE Customers SET CustName = @CustName, CustCNIC = @CustCNIC, Email = @Email, CustAccountNo = @CustAccountNo, CustAddress = @CustAddress, CustPOBox = @CustPOBox WHERE (CustID = @CustID)";
cmd2.Parameters.AddWithValue("@CustName", txt_name.Text);
cmd2.Parameters.AddWithValue("@CustCNIC", Cnic.Text);
cmd2.Parameters.AddWithValue("@Email", txt_emailaddress.Text);
cmd2.Parameters.AddWithValue("@CustAccountNo", txt_cardnum.Text);
cmd2.Parameters.AddWithValue("@CustAddress", txt_address.Text);
cmd2.Parameters.AddWithValue("@CustPOBox", txt_postalcode.Text);
cmd2.Parameters.AddWithValue("@CustID", id);
int sqlRA
try { sqlRA = cmd2.ExecuteNonQuery(); }
catch (Exception ex) {
sqlRA = -1;
// your error handling
}
/* sqlRA values explained
-1 : Error occurred
0 : Record not found
1 : 1 Record updated
>1 :Multiple records updated
*/
现在通读您的代码,我们对第一个查询所做的只是将会话[User]映射到id,然后在第二个查询中使用该id进行更新,而该用户名在第二个查询中不会更新。很可能浪费查询,因为我们可以使用会话[User]进行更新。这将使您继续执行此查询,并且仍然会返回受影响的值:
cmd0.CommandType = CommandType.Text;
cmd0.CommandText = "UPDATE Customers SET CustName = @CustName, CustCNIC = @CustCNIC, Email = @Email, CustAccountNo = @CustAccountNo, CustAddress = @CustAddress, CustPOBox = @CustPOBox WHERE (UserName = @SessionUser)";
cmd0.Parameters.AddWithValue("@CustName", txt_name.Text);
cmd0.Parameters.AddWithValue("@CustCNIC", Cnic.Text);
cmd0.Parameters.AddWithValue("@Email", txt_emailaddress.Text);
cmd0.Parameters.AddWithValue("@CustAccountNo", txt_cardnum.Text);
cmd0.Parameters.AddWithValue("@CustAddress", txt_address.Text);
cmd0.Parameters.AddWithValue("@CustPOBox", txt_postalcode.Text);
cmd0.Parameters.AddWithValue("@SessionUser", Session["User"]);
int sqlRA
try { sqlRA = cmd0.ExecuteNonQuery(); }
catch (Exception ex) {
sqlRA = -1;
// your error handling
}
/* sqlRA values explained
-1 : Error occurred
0 : Record not found
1 : 1 Record updated
>1 :Multiple records updated
*/
当BtnSubmit触发事件时,加载页面中的代码在BtnSubmit中的代码之前运行,用更新发生前数据库中的值替换文本框中的值。提供id的Update语句被读取CustID='id'的单引号包围。这意味着sql可能正在将其作为字符串读取。int id变量是否从Select语句中正确填充?请尝试调试并获取生成的sql,然后在数据库中运行它。同样,正如@jmag在第一次评论中所说的那样。删除id周围的单引号。因此,在运行BtnSubmit事件中的代码之前,CustID=6BtnSubmit应该执行回发并在页面加载中运行代码。如果您仍然希望在页面加载中加载代码,请使用If!IsPostBack{//页面加载中的代码}。这将防止它在BTNSUPMIT事件期间触发。
cmd0.CommandType = CommandType.Text;
cmd0.CommandText = "UPDATE Customers SET CustName = @CustName, CustCNIC = @CustCNIC, Email = @Email, CustAccountNo = @CustAccountNo, CustAddress = @CustAddress, CustPOBox = @CustPOBox WHERE (UserName = @SessionUser)";
cmd0.Parameters.AddWithValue("@CustName", txt_name.Text);
cmd0.Parameters.AddWithValue("@CustCNIC", Cnic.Text);
cmd0.Parameters.AddWithValue("@Email", txt_emailaddress.Text);
cmd0.Parameters.AddWithValue("@CustAccountNo", txt_cardnum.Text);
cmd0.Parameters.AddWithValue("@CustAddress", txt_address.Text);
cmd0.Parameters.AddWithValue("@CustPOBox", txt_postalcode.Text);
cmd0.Parameters.AddWithValue("@SessionUser", Session["User"]);
int sqlRA
try { sqlRA = cmd0.ExecuteNonQuery(); }
catch (Exception ex) {
sqlRA = -1;
// your error handling
}
/* sqlRA values explained
-1 : Error occurred
0 : Record not found
1 : 1 Record updated
>1 :Multiple records updated
*/