2016-03-02 76 views
0
md.CommandText = "select * from HFour where ID=" + id[num]; 
SqlDataReader re = cmd.ExecuteReader(); 

if (re.HasRows) 
{ 
    while (re.Read()) 
    { 
     oldvalue.ID = Convert.ToInt32(re[0]); 
     oldvalue.Name = re[1].ToString(); 
     oldvalue.Description = re[2].ToString(); 
     oldvalue.SourceID = re[3].ToString(); 
     if (re[4] !=DBNull.Value) 
     { 
      oldvalue.SourceTypeID = Convert.ToInt32(re[4]); 
     } 
     else 
     { 
     } 
     oldvalue.CreatedOn = Convert.ToDateTime(re[5]); 
     oldvalue.CreatedBy = re[6].ToString(); 
     if (re[7] != DBNull.Value) 
     { 
      oldvalue.ModifiedOn = Convert.ToDateTime(re[7]); 
     } 
     oldvalue.ModifiedBy = re[8].ToString(); 
     oldvalue.HThreeID =         Convert.ToInt32(re[9].ToString()); 
     oldvalue.IsActive = Convert.ToBoolean(re[10].ToString()); 
    } 
    re.Close(); 

string command = "update HFour set Name='" + oldvalue.Name + "'," + 
       "Description='" + oldvalue.Description + "'," + 
       "SourceID='" + oldvalue.SourceID + "'," + "SourceTypeID=" + 
        oldvalue.SourceTypeID + "," + "CreatedOn='" + 
        oldvalue.CreatedOn + "'," + "CreatedBy='" + 
        oldvalue.CreatedBy + "'," + "ModifiedBy='" + 
        oldvalue.ModifiedBy + "'," + "ModifiedOn='" + 
        oldvalue.ModifiedOn + "'," + "HThreeID=" + 
        oldvalue.HThreeID + "," + "IsActive='" + 
        oldvalue.IsActive + "' where ID=" + id[num]; 
cmd.CommandText = command; 
int reed = cmd.ExecuteNonQuery(); 

和誤差如下:任何人都可以告訴我錯誤在哪裏int這片c#代碼?

類型「System.Data.SqlClient.SqlException」發生在 System.Data.dll中但在用戶代碼中沒有處理的例外,

附加信息:

附近有語法錯誤 ''

任何建議將不勝感激

+3

'id [num]'= to Bobby Tables? – Aron

+1

[什麼是SQL注入?](http://stackoverflow.com/questions/601300/what-is-sql-injection) –

+0

你好。我希望你現在看到你的問題的格式有多重要。請閱讀我們如何在SO中編寫完善的問題。這樣,問題的讀者就會明白問題的癥結所在。 – Christos

回答

3

問題出在你建立的命令。它形成不好。

但是這個代碼還有一個更嚴重的問題。它容易受到SQL injection的影響。你必須建立一個參數化查詢,以避免它,象下面這樣:

string command = "UPDATE HFour SET [email protected], [email protected]"; 
command.Parameters.Add(new SqlParamter("@Name",oldvalue.Name)); 
command.Parameters.Add(new SqlParamter("@Description",oldvalue.Description)); 

顯然,同樣也適用於第一個SQL查詢。

"select * from HFour where ID=" + id[num]; 

您將不得不使這也是一個參數化查詢。

+0

好的建議 –

相關問題