SQL Server:更新查询在ASP.Net中不起作用
我在更新查询中遇到问题 我无法运行第二种方法 这项工作:SQL Server:更新查询在ASP.Net中不起作用,sql,asp.net,sql-server,database,Sql,Asp.net,Sql Server,Database,我在更新查询中遇到问题 我无法运行第二种方法 这项工作: if (Methods.Update("TABLE1", "Name", TextBoxName.Text, "Column1", "1" ) == 1) 这不起作用: if (Methods.Update("TABLE1", "Name", TextBoxName.Text, "Surname", TextBoxSurname.Text, "Column1", "2" ) ==
if (Methods.Update("TABLE1",
"Name", TextBoxName.Text,
"Column1", "1"
) == 1)
这不起作用:
if (Methods.Update("TABLE1",
"Name", TextBoxName.Text,
"Surname", TextBoxSurname.Text,
"Column1", "2"
) == 1)
我得到这个错误:
将nvarchar值“a4”转换为数据类型int时,转换失败
工作方法:
public static int Update(string Table1, string Column1, string Column1Value, string WhereColumn, string WhereValue)
{
SqlConnection connection = new SqlConnection(WebConfigurationManager.ConnectionStrings["connection"].ConnectionString);
SqlCommand command = new SqlCommand("UPDATE " + Table1 + " SET " + Column1 + "= @Column1Value " + " WHERE " + WhereColumn + "=@WhereValue", connection);
command.Parameters.AddWithValue("@Column1Value", Column1Value);
command.Parameters.AddWithValue("@WhereValue", WhereValue);
try
{
if ((connection.State == ConnectionState.Closed) || (connection.State == ConnectionState.Broken))
{
connection.Open();
}
int i = Convert.ToInt16(command.ExecuteNonQuery());
return i;
}
finally
{
connection.Close();
}
}
public static int Update(string Table1, string Column1, string Column1Value, string Column2, string Column2Value, string WhereColumn, string WhereValue)
{
SqlConnection connection = new SqlConnection(WebConfigurationManager.ConnectionStrings["connection"].ConnectionString);
SqlCommand command = new SqlCommand("UPDATE " + Table1 + " SET " + Column1 + "= @Column1Value," + Column2 + " = @Column2Value WHERE " + WhereColumn + "=" + WhereValue, connection);
command.Parameters.AddWithValue("@Column1Value", Column1Value);
command.Parameters.AddWithValue("@Column2Value", Column2Value);
command.Parameters.AddWithValue("@WhereValue", WhereValue);
try
{
if ((connection.State == ConnectionState.Closed) || (connection.State == ConnectionState.Broken))
{
connection.Open();
}
int i = Convert.ToInt16(command.ExecuteNonQuery());
return i;
}
finally
{
connection.Close();
}
}
非工作方法:
public static int Update(string Table1, string Column1, string Column1Value, string WhereColumn, string WhereValue)
{
SqlConnection connection = new SqlConnection(WebConfigurationManager.ConnectionStrings["connection"].ConnectionString);
SqlCommand command = new SqlCommand("UPDATE " + Table1 + " SET " + Column1 + "= @Column1Value " + " WHERE " + WhereColumn + "=@WhereValue", connection);
command.Parameters.AddWithValue("@Column1Value", Column1Value);
command.Parameters.AddWithValue("@WhereValue", WhereValue);
try
{
if ((connection.State == ConnectionState.Closed) || (connection.State == ConnectionState.Broken))
{
connection.Open();
}
int i = Convert.ToInt16(command.ExecuteNonQuery());
return i;
}
finally
{
connection.Close();
}
}
public static int Update(string Table1, string Column1, string Column1Value, string Column2, string Column2Value, string WhereColumn, string WhereValue)
{
SqlConnection connection = new SqlConnection(WebConfigurationManager.ConnectionStrings["connection"].ConnectionString);
SqlCommand command = new SqlCommand("UPDATE " + Table1 + " SET " + Column1 + "= @Column1Value," + Column2 + " = @Column2Value WHERE " + WhereColumn + "=" + WhereValue, connection);
command.Parameters.AddWithValue("@Column1Value", Column1Value);
command.Parameters.AddWithValue("@Column2Value", Column2Value);
command.Parameters.AddWithValue("@WhereValue", WhereValue);
try
{
if ((connection.State == ConnectionState.Closed) || (connection.State == ConnectionState.Broken))
{
connection.Open();
}
int i = Convert.ToInt16(command.ExecuteNonQuery());
return i;
}
finally
{
connection.Close();
}
}
我的表格内容:
TABLE1
------------------------
Name Surname Column1
Name1 Surname1 NULL
Name2 Surname2 NULL
Name3 Surname3 a4
Name4 Surname4 NULL
Name5 Surname5 1
Name6 Surname6 2
Name7 Surname7 3
我的表格结构:
CREATE TABLE [User1].[TABLE1]
(
[ID] INT IDENTITY (1, 1) NOT NULL,
[Name] NVARCHAR (50) NOT NULL,
[Surname] NVARCHAR (50) NOT NULL,
[Column1] NVARCHAR (50) NULL,
PRIMARY KEY CLUSTERED ([ID] ASC)
);
我不明白原因
提前感谢。非工作方法中的问题是您没有参数化
WhereValue
:
WhereColumn + "=" + WhereValue,
而不是
WhereColumn + "=@WhereValue"
因此,SQL将其强制转换为INT,然后无法正确地将其与a4
行进行比较
虽然更改第二种方法可以解决您的问题,但您的SQL中存在一些安全问题。如果有人给您传递了一个错误的表名或列名,那么很可能会出现类似这样的SQL注入。至少,您应该检查以确保传递的值位于实际表和列名的列表中,这样就不会有人向您传递真正不应该更新的表。想象一下,如果恶意用户将此参数传递给您的表名参数:“TableName SET Column1=1;选择*FROM INFORMATION\u SCHEMA.TABLES——”
实际上,最好使用特定的函数来更新特定的表和值,并确保始终参数化值以避免SQL注入除了手头的问题之外,您应该阅读本文并开始为参数定义数据类型。如果您不小心,这可能会使您对SQL注入敞开大门。这种特殊的用法并不是因为值是硬编码的,而是实际与数据库交互的方法不能确保使用代码不会滥用它的保护。不太喜欢通用的更新方法。防止sql注入的挑战是一个真正需要解决的难题。为什么不为表创建CRUD过程呢。最初需要做更多的工作,但同时也要开始分离数据层和业务层。@David实际上,这种实现非常容易受到sql注入的影响。它接收字符串值,将其构建为sql命令并执行。@SeanLange:是的,我就是这么说的。实施是脆弱的。实现的这种特定用法并不是因为易受攻击的部分不暴露于用户输入,而是核心实现。如果总是小心使用,就不会有网络漏洞。但我强烈建议OP明确地确保安全性,而不是假设代码总是被小心使用。