连接到SQL Server数据库C#ASP.NET时引用为空
在尝试通过Visual Studio 2017连接到SQL Server数据库时,我不断收到空引用。下面是引用所在的位置以及它试图连接以收集数据的方式。请帮忙!谢谢你 Profile.aspx连接到SQL Server数据库C#ASP.NET时引用为空,c#,asp.net,sql-server,nullreferenceexception,C#,Asp.net,Sql Server,Nullreferenceexception,在尝试通过Visual Studio 2017连接到SQL Server数据库时,我不断收到空引用。下面是引用所在的位置以及它试图连接以收集数据的方式。请帮忙!谢谢你 Profile.aspx protected void updateProfile(object sender, EventArgs e) { // Database entry string message = "Your information has been updated acco
protected void updateProfile(object sender, EventArgs e)
{
// Database entry
string message = "Your information has been updated accoridngly!<br><br>";
double number;
if (txtName.Text.Equals("") || ddlDegree.SelectedValue.Equals("") || txtExperience.Text.Equals("") || !Double.TryParse(txtExperience.Text, out number) || txtSalary.Text.Equals("") || txtStreet.Text.Equals("") || txtCity.Text.Equals("") || txtState.Text.Equals("") || txtZipcode.Text.Equals(""))
{
message += "However:<br>There was an error found in your entry fields, resulting in a failure to store field information. Make sure that all fields are filled and that the Experience field is a double value.";
}
else
{
**myDataLayer.updateStaff(Session["userid"].ToString(), txtName.Text, ddlDegree.SelectedValue, txtExperience.Text, txtSalary.Text, txtStreet.Text, txtCity.Text, txtState.Text, txtZipcode.Text);** - **Null Reference**
}
您的验证很弱,在没有参数化的情况下,永远不会生成用于insert、update和delete的sql命令。您很容易使用SQL注入 首先,基本验证。通过使用IsNullOrWhiteSpace,可以防止以null开头(因此会出现错误),但也可以作为SQL注入的开始
if( string.IsNulllOrWhiteSpace( txtName.Text )
|| string.IsNullOrWhiteSpace( ddlDegree.SelectedValue )
… )
message back about failed values
现在是SQL。用户参数。如果你叫奥康纳会怎么样。第一个引号将终止字符串单引号平衡
cmd.Connection = con;
cmd.CommandText =
@"UPDATE staff SET
full_name = @parmFullName,
degree = @parmDegree,
experience = @parmExperience,
salary = @parmSalary,
street = @parmStreet,
city = @parmCity,
state = @parmState,
zipcode = @parmZIP,
where
userid = @parmUserID";
// pulling the parameters from the parameters you pass to your UpdateStaff() call
cmd.Parameters.AddWithValue( "parmFullName", full_name );
cmd.Parameters.AddWithValue( "parmDegree", degree );
cmd.Parameters.AddWithValue( "parmExperience", experience );
cmd.Parameters.AddWithValue( "parmSalary", salary );
cmd.Parameters.AddWithValue( "parmStreet", street);
cmd.Parameters.AddWithValue( "parmCity", city );
cmd.Parameters.AddWithValue( "parmState", state );
cmd.Parameters.AddWithValue( "parmZIP", zipcode );
cmd.Parameters.AddWithValue( "parmUserID", userid );
所以,在大多数情况下,你应该是好的。没有空值,没有不匹配的单引号字符串。这不是最终的验证,但您肯定应该阅读更多关于SQL注入和数据清理的内容
在我的示例中,我显式地向参数添加了前缀“parm”,以区分您尝试使用的实际值
此外,如果数据列是日期、整数、双精度、字符串,则让它们保持预期的类型。参数将正确传递到。您从何处获得NullReference,那么错误消息和stacktrace是什么,为什么它与其他NullReference问题不同?在转到
ToString
之前是否正确定义了会话[“userid”]
?有时候我忘了。嗯,除非您阅读错误消息,否则很难说出空引用错误的来源。不相关的提示:SqlConnection
、SqlCommand
、SqlDataReader
和SqlDataAdapter
都是IDisposable
,因此每个都应该是使用块的中的局部变量。DRapp指出了您代码中的SQL注入漏洞。可能值得一看。
cmd.Connection = con;
cmd.CommandText =
@"UPDATE staff SET
full_name = @parmFullName,
degree = @parmDegree,
experience = @parmExperience,
salary = @parmSalary,
street = @parmStreet,
city = @parmCity,
state = @parmState,
zipcode = @parmZIP,
where
userid = @parmUserID";
// pulling the parameters from the parameters you pass to your UpdateStaff() call
cmd.Parameters.AddWithValue( "parmFullName", full_name );
cmd.Parameters.AddWithValue( "parmDegree", degree );
cmd.Parameters.AddWithValue( "parmExperience", experience );
cmd.Parameters.AddWithValue( "parmSalary", salary );
cmd.Parameters.AddWithValue( "parmStreet", street);
cmd.Parameters.AddWithValue( "parmCity", city );
cmd.Parameters.AddWithValue( "parmState", state );
cmd.Parameters.AddWithValue( "parmZIP", zipcode );
cmd.Parameters.AddWithValue( "parmUserID", userid );