SQL更新到数据库无法正常工作

时间:2022-10-13 12:16:58

I am trying to update my database but it is not working.

我正在尝试更新我的数据库,但它无法正常工作。

I first tried this code:

我首先尝试了这段代码:

SqlConnection con = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDbFilename=|DataDirectory|\\QuizDB.mdf;Integrated Security=True;User Instance=True;");
con.Open();

string command = "UPDATE QuizTable SET ques1= @ques1VAL WHERE ID=@IDVAL";

SqlCommand cmd = new SqlCommand(@command, con);
cmd.Parameters.AddWithValue("@ques1VAL", ques1TextBox.Text);
cmd.Parameters.AddWithValue("@IDVAL", IDTextBox.Text);

cmd.ExecuteNonQuery();
con.Close();

It doesn't throw an error but it doesn't update the database. When I tried the next code, only integers are updated and not strings.

它不会抛出错误但它不会更新数据库。当我尝试下一个代码时,只更新整数而不是字符串。

SqlConnection con = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDbFilename=|DataDirectory|\\QuizDB.mdf;Integrated Security=True;User Instance=True;");
con.Open();

string command = "UPDATE QuizTable " +
                 "SET ques1=" + ques1TextBox.Text +
                 " WHERE ID=" + IDTextBox.Text;

SqlCommand cmd = new SqlCommand(@command, con);

cmd.ExecuteNonQuery();

con.Close();

Can anyone explain what I am doing wrong? I prefer code to be secure against SQL injection is possible please.

谁能解释我做错了什么?我希望代码能够安全地防止SQL注入。

2 个解决方案

#1

0  

In first case you are missing @ at where condition so, it should be like-

在第一种情况下,你错过@在哪里条件所以,它应该像 - 

SqlConnection con = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDbFilename=|DataDirectory|\\QuizDB.mdf;Integrated Security=True;User Instance=True;");
con.Open();
string command = "UPDATE QuizTable SET ques1= @ques1VAL WHERE ID=@IDVAL";
SqlCommand cmd = new SqlCommand(@command, con);
cmd.Parameters.AddWithValue("@ques1VAL", ques1TextBox.Text);
cmd.Parameters.AddWithValue("@IDVAL", IDTextBox.Text);
cmd.ExecuteNonQuery();
con.Close();

In your second case you pass the .text but not use proper string quotations. It should be like -

在第二种情况下,您传递.text但不使用正确的字符串引用。它应该像 - 

SqlConnection con = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDbFilename=|DataDirectory|\\QuizDB.mdf;Integrated Security=True;User Instance=True;");
con.Open();
string command = "UPDATE QuizTable " +
               "SET ques1='" + ques1TextBox.Text +
               "' WHERE ID='" + IDTextBox.Text+"'";
SqlCommand cmd = new SqlCommand(@command, con);
cmd.ExecuteNonQuery();
con.Close();

#2

2  

You're missing the "@" for the IDVAL paramer:

你错过了IDVAL参数的“@”:

string command = "UPDATE QuizTable SET ques1= @ques1VAL WHERE ID = @IDVAL";

#1

0  

In first case you are missing @ at where condition so, it should be like-

在第一种情况下,你错过@在哪里条件所以,它应该像 - 

SqlConnection con = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDbFilename=|DataDirectory|\\QuizDB.mdf;Integrated Security=True;User Instance=True;");
con.Open();
string command = "UPDATE QuizTable SET ques1= @ques1VAL WHERE ID=@IDVAL";
SqlCommand cmd = new SqlCommand(@command, con);
cmd.Parameters.AddWithValue("@ques1VAL", ques1TextBox.Text);
cmd.Parameters.AddWithValue("@IDVAL", IDTextBox.Text);
cmd.ExecuteNonQuery();
con.Close();

In your second case you pass the .text but not use proper string quotations. It should be like -

在第二种情况下,您传递.text但不使用正确的字符串引用。它应该像 - 

SqlConnection con = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDbFilename=|DataDirectory|\\QuizDB.mdf;Integrated Security=True;User Instance=True;");
con.Open();
string command = "UPDATE QuizTable " +
               "SET ques1='" + ques1TextBox.Text +
               "' WHERE ID='" + IDTextBox.Text+"'";
SqlCommand cmd = new SqlCommand(@command, con);
cmd.ExecuteNonQuery();
con.Close();

#2

2  

You're missing the "@" for the IDVAL paramer:

你错过了IDVAL参数的“@”:

string command = "UPDATE QuizTable SET ques1= @ques1VAL WHERE ID = @IDVAL";
标签:

相关文章