Web 表单不更新表格，为什么？

发布于 2024-08-28 09:57:35 字数 1077 浏览 5 评论 0原文

我有一个网络应用程序，页面上有一个更新页面，用于更新一些个人资料信息。下面是我用来更新表格的代码。但我认为这是错误的。有什么突出的吗？连接字符串起作用是因为它用于读取数据库以获取配置文件信息，我刚刚将其删除，因为它包含数据库的密码/登录信息。

player 是包含玩家信息的属性类，ds 是数据集，但我想在线更新数据库本身...

 Dim connectionString As String = ""

 Dim GigsterDBConnection As New System.Data.SqlClient.SqlConnection(connectionString)
 GigsterDBConnection.Open()
 Dim updatetoursql As String = "UPDATE PLAYERS SET FIRSTNAME = '" & player.FIRSTNAME & "', LASTNAME =  '" & player.LASTNAME & "', ADDRESS = '" & player.ADDRESS & "', CITY =  '" & player.CITY & "', ZIP = '" & player.ZIP & "', PHONE =  '" & player.PHONE & "', EMAIL = '" & player.EMAIL & "', REFFEREDBY =  '" & player.REFEREDBY & "' "

 updatetoursql = updatetoursql & "PLAYERID = '" & player.PLAYERID & "';"

 Dim cmd As New System.Data.SqlClient.SqlCommand(updatetoursql, GigsterDBConnection)
 Dim sqlAdapter As New System.Data.SqlClient.SqlDataAdapter(cmd)
 sqlAdapter.Update(ds, "PLAYERS")

我认为问题出在代码的最后 3 行。我做得对还是他们的方法更好？

谢谢

原文

I have a web application and on page is an update page to update some profile information. Below is the code I am using to update the table. But I think it is wrong. Does anything stick out? The connection string works cause it is used to read the database to get the profile information, I just removed it due to it containing password/login info for the db.

player is the class of properties that contains player information and ds is the dataset, but I would like to update the database itself online...

 Dim connectionString As String = ""

 Dim GigsterDBConnection As New System.Data.SqlClient.SqlConnection(connectionString)
 GigsterDBConnection.Open()
 Dim updatetoursql As String = "UPDATE PLAYERS SET FIRSTNAME = '" & player.FIRSTNAME & "', LASTNAME =  '" & player.LASTNAME & "', ADDRESS = '" & player.ADDRESS & "', CITY =  '" & player.CITY & "', ZIP = '" & player.ZIP & "', PHONE =  '" & player.PHONE & "', EMAIL = '" & player.EMAIL & "', REFFEREDBY =  '" & player.REFEREDBY & "' "

 updatetoursql = updatetoursql & "PLAYERID = '" & player.PLAYERID & "';"

 Dim cmd As New System.Data.SqlClient.SqlCommand(updatetoursql, GigsterDBConnection)
 Dim sqlAdapter As New System.Data.SqlClient.SqlDataAdapter(cmd)
 sqlAdapter.Update(ds, "PLAYERS")

I think the issue is something the 3 last lines of the code. am I doing it right or is their a better way?

Thanks

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

九八野马 2024-09-04 09:57:35

好吧，除了明显的 SQL 注入问题等着你......（提示：使用参数化查询而不是将 SQL 语句连接在一起！！）

Dim cmd As New SqlCommand(updatetoursql, GigsterDBConnection)
Dim sqlAdapter As New SqlDataAdapter(cmd)

这里的问题是：如果你调用这样，您传入的 SqlDataAdapter 构造函数是（数据适配器的）select 命令 - 而不是更新命令！

您需要这样做：

Dim cmd As New SqlCommand(updatetoursql, GigsterDBConnection)
Dim sqlAdapter As New SqlDataAdapter()
sqlAdapter.UpdateCommand = cmd;

现在您已将 UPDATE 语句与 SqlDataAdapter.UpdateCommand 关联起来，现在它应该可以工作了。

关于 SQL 注入：我强烈建议始终使用参数化查询 - 至少在生产代码中。因此，不要将查询连接在一起，而是使用以下命令：

Dim updatetoursql As String = 
   "UPDATE PLAYERS SET FIRSTNAME = @FirstName, LASTNAME = @LastName, " & 
   "ADDRESS = @Address, CITY = @City, ZIP = @Zip, PHONE = @Phone " &
   "EMAIL = @EMail, REFFEREDBY = @ReferredBy, PLAYERID = @PlayerID"

然后在执行命令或 SqlDataAdapter.Update 语句之前，将这些参数设置为您拥有的值。这更加安全，减少了您的麻烦，甚至可能提高速度（如果单个更新查询仅在 SQL Server 内存中缓存一次）。

另外，为什么要走漫长而复杂的 SqlDataAdapter 之路呢？

创建 SqlCommand 并设置所有参数后，只需调用 cmd.ExecuteNonQuery(); 即可完成！

Dim cmd As New SqlCommand(updatetoursql, GigsterDBConnection)

// set up the parameters here.....
cmd.Parameters.AddWithvalue("@FirstName", FirstName);
... etc.

// just call ExecuteNonQuery - and you're done!
cmd.ExecuteNonQuery();

Well, apart from the glaring SQL injection issues waiting to bite you ..... (hint: use parametrized queries instead of concatenating together your SQL statement!!)

Dim cmd As New SqlCommand(updatetoursql, GigsterDBConnection)
Dim sqlAdapter As New SqlDataAdapter(cmd)

The problem here is: if you call the SqlDataAdapter constructor this way, what you're passing in is the select command (of the data adapter) - not the update command!

You need to do it this way:

Dim cmd As New SqlCommand(updatetoursql, GigsterDBConnection)
Dim sqlAdapter As New SqlDataAdapter()
sqlAdapter.UpdateCommand = cmd;

Now you've associated your UPDATE statement with the SqlDataAdapter.UpdateCommand and now it should work.

About the SQL injection: I'd strongly recommend using parametrized queries all the time - at least in production code. So instead of concatenating together your query, use this:

Dim updatetoursql As String = 
   "UPDATE PLAYERS SET FIRSTNAME = @FirstName, LASTNAME = @LastName, " & 
   "ADDRESS = @Address, CITY = @City, ZIP = @Zip, PHONE = @Phone " &
   "EMAIL = @EMail, REFFEREDBY = @ReferredBy, PLAYERID = @PlayerID"

and then before you execute the command or the SqlDataAdapter.Update statement, set those parameters to the values you have. This is much safer and gives you less headaches and possibly even speed improvements (if that single Update query is only cached once in SQL Server memory).

Also, why go the long and complicated way of a SqlDataAdapter at all??

After you've created the SqlCommand and set all the parameters, just call cmd.ExecuteNonQuery(); and you're done!

Dim cmd As New SqlCommand(updatetoursql, GigsterDBConnection)

// set up the parameters here.....
cmd.Parameters.AddWithvalue("@FirstName", FirstName);
... etc.

// just call ExecuteNonQuery - and you're done!
cmd.ExecuteNonQuery();

回复收藏 0 原文