1. 首頁
  2. 問答
  3. 爲什麼我的查詢返回null

爲什麼我的查詢返回null

2012-11-06 229 views
-1

我想問爲什麼查詢返回null而不是更新我想要的。對不起,我還是用新的和asp.netc#爲什麼我的查詢返回null

myquery = "UPDATE kenderaan SET buatan = " + "'" + carmake + "'" + "," + 
      "model = " + "'" + carmodel + "'" + "," + 
      "no_enjin = " + "'" + carenjin + "'" + "," + 
      "cc = " + carcc + "," + 
      "seatCapacity = " + carseat + "," + 
      "tahunBuatan = " + caryear + " WHERE no_kenderaan = " + "'" + carid + "'" + "," + 
      "AND ic = " + "'" + cusid + "'"; 


connection = new DbConnection(); 
connection.Update(myquery);

來源

2012-11-06 Sky MarshiMaro

回答

1

創建DbCommand使用ExecuteNonQuery()方法來執行Update聲明。如果你正在使用SQL Server那麼你可以使用這塊代碼片斷:

using System.Data.SqlClient; 

string query = "UPDATE kenderaan SET buatan = @carmake" + 
      ", model = @carmodel" + 
      ", no_enjin = @carenjin" + 
      ", cc = @carcc" + 
      ", seatCapacity = @carseat" + 
      ", tahunBuatan = @caryear" + 
      " WHERE no_kenderaan = @carid AND ic = @cusid"; 

using (SqlConnection conn = new SqlConnection("<connection string>")) 
{ 
    using (SqlCommand cmd = new SqlCommand(query, conn)) 
    { 
     cmd.Parameters.AddWithValue("@carmake", carmake); 
     cmd.Parameters.AddWithValue("@carmodel", carmodel); 
     cmd.Parameters.AddWithValue("@carenjin", carenjin); 
     cmd.Parameters.AddWithValue("@carcc", carcc); 
     cmd.Parameters.AddWithValue("@carseat", carseat); 
     cmd.Parameters.AddWithValue("@caryear", caryear); 
     cmd.Parameters.AddWithValue("@carid", carid); 
     cmd.Parameters.AddWithValue("@cusid", cusid); 

     conn.Open(); 
     cmd.ExecuteNonQuery();    
    } 
}

來源

2012-11-06 03:55:40

+0

更多信息請刪除try/catch,否則讀者會認爲一個空的catch塊是w ay來處理異常。 –

+0

我已根據您的指示對其進行了更改。謝謝 –

3

重組你的代碼到這一點,使用Connection對象,Command對象,using聲明。

string myquery = "UPDATE kenderaan SET buatan = @carmake ," + 
       "  model = @carmodel ," + 
       "  no_enjin = @carenjin ," + 
       "  cc = @carcc ," + 
       "  seatCapacity = @carseat ," + 
       "  tahunBuatan = @caryear " + 
       "WHERE no_kenderaan = @carid " + 
       "  AND ic = @cusid "; 

using (MySqlConnection _conn = new MySqlConnection("connectionStringHere")) 
{ 
    using (MySqlCommand _comm = new MySqlCommand()) 
    { 
     _comm.Connection = _conn; 
     _comm.CommandText = myquery; 
     _comm.CommandType = CommandType.Text; 
     _comm.Parameters.AddWithValue("@carmake",carmake); 
     _comm.Parameters.AddWithValue("@carmodel",carmodel); 
     _comm.Parameters.AddWithValue("@carenjin",carenjin); 
     _comm.Parameters.AddWithValue("@carcc",carcc); 
     _comm.Parameters.AddWithValue("@carseat",carseat); 
     _comm.Parameters.AddWithValue("@caryear",caryear); 
     _comm.Parameters.AddWithValue("@carid",carid); 
     _comm.Parameters.AddWithValue("@cusid",cusid); 

     try 
     { 
      _conn.Open(); 
      _comm.ExecuteNonQuery(); 
      MessageBox.Show("Updated!"); 
     } 
     catch (MySqlException e) 
     { 
      MessageBox.Show(e.ToString()); // as mentioned on the comment 
     } 

    } 
}

爲什麼你需要參數查詢原因:

  • 避免SQL注入
  • 使得代碼更易讀
  • 等:d

來源

來源

2012-11-06 04:04:05

+0

爲什麼downvoted? :)需要評論,所以我可以更新。 –

+0

我沒有downvote,但我幾乎沒有。 e.Message.ToString()是一個壞習慣。使用e.ToString()來顯示內部異常和堆棧跟蹤。 –

-1

試試這個代碼後你的代碼:

,並確保VARCHAR參數比較字符串值。

string myquery = "UPDATE kenderaan SET buatan = '" + carmake + "',model = '"+ 
carmodel + "',no_enjin = '" +carenjin + "',cc = " + carcc + ",seatCapacity = " + 
carseat + ",tahunBuatan = " + caryear + 
" WHERE no_kenderaan = '" + carid + "' AND ic = '" + cusid + "'"; 


     connection = new DbConnection(); 
     connection.Update(myquery);

更新:道歉,我剛與糾正你的查詢您的WHERE條件我只是刪除逗號,你用來分隔兩個條件。

爲了避免SQL注入攻擊,使用其中的一個:

1)Parameters with Stored Procedures

2)Use Parameters with Dynamic SQL

3)Constrain Input

你可以找到在HERE

來源

2012-11-06 04:16:58

+0

-1沒有提到SQL注入攻擊。 –

+0

答覆已更新。 –

+0

但是仍然沒有提到SQL注入攻擊,或者如何避免它們。 –

相關問題

 相關問題