md.CommandText = "select * from HFour where ID=" + id[num];
SqlDataReader re = cmd.ExecuteReader();
if (re.HasRows)
{
while (re.Read())
{
oldvalue.ID = Convert.ToInt32(re[0]);
oldvalue.Name = re[1].ToString();
oldvalue.Description = re[2].ToString();
oldvalue.SourceID = re[3].ToString();
if (re[4] !=DBNull.Value)
{
oldvalue.SourceTypeID = Convert.ToInt32(re[4]);
}
else
{
}
oldvalue.CreatedOn = Convert.ToDateTime(re[5]);
oldvalue.CreatedBy = re[6].ToString();
if (re[7] != DBNull.Value)
{
oldvalue.ModifiedOn = Convert.ToDateTime(re[7]);
}
oldvalue.ModifiedBy = re[8].ToString();
oldvalue.HThreeID = Convert.ToInt32(re[9].ToString());
oldvalue.IsActive = Convert.ToBoolean(re[10].ToString());
}
re.Close();
string command = "update HFour set Name='" + oldvalue.Name + "'," +
"Description='" + oldvalue.Description + "'," +
"SourceID='" + oldvalue.SourceID + "'," + "SourceTypeID=" +
oldvalue.SourceTypeID + "," + "CreatedOn='" +
oldvalue.CreatedOn + "'," + "CreatedBy='" +
oldvalue.CreatedBy + "'," + "ModifiedBy='" +
oldvalue.ModifiedBy + "'," + "ModifiedOn='" +
oldvalue.ModifiedOn + "'," + "HThreeID=" +
oldvalue.HThreeID + "," + "IsActive='" +
oldvalue.IsActive + "' where ID=" + id[num];
cmd.CommandText = command;
int reed = cmd.ExecuteNonQuery();
错误如下:
System.Data.dll中发生类型为'System.Data.SqlClient.SqlException'的异常,但未在用户代码中处理
附加信息:
','附近的语法不正确
任何建议将不胜感激
问题出在您生成的命令中。它的格式不正确。
但是,此代码存在更严重的问题。它容易受到SQL注入的攻击。为了避免这种情况,您必须构建一个参数化查询,如下所示:
string command = "UPDATE HFour SET Name=@Name, Description=@Description";
command.Parameters.Add(new SqlParamter("@Name",oldvalue.Name));
command.Parameters.Add(new SqlParamter("@Description",oldvalue.Description));
显然,第一个sql查询也是如此。
"select * from HFour where ID=" + id[num];
您还必须对此进行参数化查询。
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句