using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
using System.Data.SqlClient;
using System.Configuration;
public partial class Editprofile : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
SqlConnection con = new SqlConnection();
con.ConnectionString = ConfigurationManager.ConnectionStrings["ProfileCS"].ConnectionString;
string sql = "select userid from Profile";
SqlCommand cmd = new SqlCommand();
SqlDataReader dr;
DataTable dt = new DataTable();
cmd.CommandText = sql;
cmd.Connection = con;
con.Open();
dr = cmd.ExecuteReader();
dt.Load(dr);
ddl_userid.DataSource = dt;
ddl_userid.DataTextField = "userid";
ddl_userid.DataValueField = "userid";
ddl_userid.DataBind();
}
}
protected void ddl_userid_SelectedIndexChanged(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection();
con.ConnectionString = ConfigurationManager.ConnectionStrings["ProfileCS"].ConnectionString;
string sql = "Select studname,gender,email,birthdate,contact from profile where userid='" + ddl_userid.SelectedValue + "'";
SqlCommand cmd = new SqlCommand();
SqlDataReader dr;
DataTable dt = new DataTable();
cmd.CommandText = sql;
cmd.Connection = con;
con.Open();
dr = cmd.ExecuteReader();
dt.Load(dr);
tb_studname.Text = dt.Rows[0]["studname"].ToString();
tb_gender.Text = dt.Rows[0]["gender"].ToString();
tb_email.Text = dt.Rows[0]["email"].ToString();
tb_age.Text = dt.Rows[0]["birthdate"].ToString();
tb_contact.Text = dt.Rows[0]["contact"].ToString();
Session["dt"] = dt;
}
protected void bn_reset_Click(object sender, EventArgs e)
{
DataTable dt = (DataTable)Session["dt"];
tb_studname.Text = dt.Rows[0]["studname"].ToString();
tb_gender.Text = dt.Rows[0]["gender"].ToString();
tb_email.Text = dt.Rows[0]["email"].ToString();
tb_age.Text = dt.Rows[0]["birthdate"].ToString();
tb_contact.Text = dt.Rows[0]["contact"].ToString();
}
protected void bn_update_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection();
con.ConnectionString = ConfigurationManager.ConnectionStrings["ProfileCS"].ConnectionString;
String name = tb_studname.Text;
String gender = tb_gender.Text;
String email = tb_email.Text;
String age = tb_age.Text;
String contact = tb_contact.Text;
string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"',contact='"+contact;
sql=sql +"where userid='"+ddl_userid+"'";
SqlCommand cmd =new SqlCommand();
cmd.CommandText=sql;
cmd.Connection=con;
try
{
con.Open();
cmd.ExecuteNonQuery();
lbl_msg.Text="Record Updated!";
}
catch(Exception ex)
{
lbl_msg.Text="Problem encountered:"+ex.Message;
}
finally
{
con.Close();
con.Dispose();
cmd.Dispose();
}
}
}
當我加載頁面的復位按鈕作品嗨,大家好預期,但是當我嘗試這樣 問題遇到發生更新信息按鈕錯誤消息」後閉合的引號。字符串「」「系統」附近語法不正確。系統「:字符串「」附近有語法錯誤
在哪條線上? 「userid」列的類型是什麼,「ddl_userid.SelectedValue」的值是什麼?請注意_SQL Injection_攻擊。 –
[SQL注入警報](http://msdn.microsoft.com/en-us/library/ms161953%28v=sql.105%29.aspx) - 你應該**不**連接你的SQL語句 - 使用**參數化查詢**而不是爲了避免SQL注入 –
@SonerGönüluserid是nvarchar(50),你是什麼意思的值ddl_userid.SelectedValue – sherrez