1. 首頁
  2. 問答
  3. 它說command.ExecuteNonQuery()未初始化

它說command.ExecuteNonQuery()未初始化

2012-09-18 34 views
1

我的代碼:它說command.ExecuteNonQuery()未初始化

// Get Connection String 
string conn = WebConfigurationManager.ConnectionStrings["GraduatesConnectionString"].ToString(); 
// Create connection object 
SqlConnection connection = new SqlConnection(conn); 
SqlCommand command = connection.CreateCommand(); 
try 
{ 
    // Open the connection. 
    connection.Open(); 
    // Execute the insert command. 
    command.CommandText = ("INSERT INTO PersonalInfo(Id,Name,LastName,ContactNumber, Address,Gender, Date_Of_Birth) VALUES(\'" 
       + (this.txtID.Text + ("\',\'" 
       + (this.txtName.Text + ("\',\'" 
       + (this.txtLastName.Text + ("\',\'" 
       + (this.txtContactNumber.Text + ("\',\'" 
       + (this.txtAddress.Text + ("\',\'" 
       + (this.gender + ("\',\'" 
       + (this.txtDateofBirth.Text + ("\',\'" 
      ))))); 
    command.ExecuteNonQuery(); 
} 
finally 
{ 
    // Close the connection. 
    connection.Close(); 
}

來源

2012-09-18 Alfrezo

+14

**馬上停下來,**去,瞭解SQL注入,以及如何參數化查詢中 – podiluska

+0

包裝你'SqlConnection' /'的SqlCommand '在[使用聲明]中(http://msdn.microsoft.com/en-us/library/yh598w02.aspx)。 – James

+0

http://stackoverflow.com/questions/601300/what-is-sql-injection – Paddy

回答

4 
using (SqlConnection connection = new SqlConnection(connectionString)) 
using (SqlCommand command = connection.CreateCommand()) 
{ 
    command.CommandText = "INSERT INTO PersonalInfo (Id, Name, LastName, ContactNumber, Address, Gender, Date_Of_Birth) VALUES (@Id, @Name, @LastName, @LastName, @Address, @Gender, @DateOfBirth)"; 

    command.Parameters.AddWithValue("@Id", txtID.Text); 
    ... 

    connection.Open(); 
    command.ExecuteNonQuery(); 
}

來源

2012-09-18 08:47:47 abatishchev

+0

downvote的原因是什麼? – abatishchev

+0

您實際上沒有回答OP的問題,只是重新編寫代碼 - 儘管採用更可靠的方式。然而,這可能只是一個評論(就像礦山&@ podiluska的)。 @ RonaldWildenberg的回答更爲恰當,因爲他至少說過*爲什麼*例外被提出。 – James

3

你以後txtDateofBirth所以你的說法是不完整的缺少一個右)

但是請注意@podiluska的評論。這段代碼很容易被濫用。假設我在txtDateofBirth輸入類似下面的文字:

;DROP TABLE PersonalInfo;

然後你得到這樣的查詢:

INSERT INTO PersonalInfo(...) 
VALUES (...);DROP TABLE PersonalInfo;

所以使用參數化查詢由@abatishchev描述。

來源

2012-09-18 08:48:26

1

我會忍不住對你的代碼更改爲:

string conn = WebConfigurationManager.ConnectionStrings["GraduatesConnectionString"].ToString(); 
// Create connection object 
using(SqlConnection connection = new SqlConnection(conn)) 
{ 
    string queryText = "INSERT INTO PersonalInfo(Id,Name,LastName,ContactNumber, Address,Gender, Date_Of_Birth) VALUES(@id,@name,@lastName,@contactNumber, @address,@gender, @date_Of_Birth)"; 

    using(SqlCommand command = new SqlCommand(queryText, connection)) 
    { 
     try 
     { 
      // Open the connection. 
      connection.Open(); 

      command.Parameters.AddWithValue("@id", this.txtID.Text); 
      command.Parameters.AddWithValue("@name", this.txtName.Text); 
      command.Parameters.AddWithValue("@lastName", this.txtLastName.Text); 
      command.Parameters.AddWithValue("@contactNumber", this.txtContactNumber.Text); 
      command.Parameters.AddWithValue("@address", this.txtAddress.Text); 
      command.Parameters.AddWithValue("@gender",this.gender); 
      command.Parameters.AddWithValue("@date_Of_Birth", this.txtDateofBirth.Text); 
      command.ExecuteReader(); 
     } 
     finally 
     { 
      // Close the connection. 
      if(connection.State != ConnectionState.Closed) 
       connection.Close(); 
     } 
    } 
}

來源

2012-09-18 08:53:58 HaemEternal

+0

非常感謝嗨,幫助很多 – Alfrezo

+0

@Alfrezo不用擔心,樂於幫助。 – HaemEternal

相關問題

 相關問題