0

仅更新电子邮件时出现的问题所有其他空白都为 null 。即使我在 sql server 2008 中未选中允许 null 。我的代码是-

protected void Updateinfo_Click(object sender, EventArgs e)
{
    string radiogender;
    if (Radiochngmale.Checked == true)
        radiogender = Radiochngmale.Text.ToString();
    else
        radiogender = Radiochngfemale.Text.ToString();
    SqlConnection con = new SqlConnection();
    con.ConnectionString = ConfigurationManager.ConnectionStrings["Con"].ConnectionString;
    con.Open();
    if (con.State == ConnectionState.Open)
    {
        SqlCommand cmd = new SqlCommand();
        Random r = new Random();
        int next = r.Next();
        if (FileUpload2.HasFile)
        {
            string myMap = MapPath("~/").ToLower();
            string ImageName = FileUpload2.PostedFile.FileName;
            sImageFileExtension = ImageName.Substring(ImageName.LastIndexOf(".")).ToLower();
            if (sImageFileExtension == ".gif" || sImageFileExtension == ".png" || sImageFileExtension == ".jpg" || sImageFileExtension == ".jpeg" || sImageFileExtension == ".bmp")
            {
                string ImageSaveURL = myMap + "UserImage/" + next + sImageFileExtension;
                FileUpload2.PostedFile.SaveAs(ImageSaveURL);
            }
            else
                Response.Write("Invalid File");
        }
        cmd.Connection = con; 
        if(chngfname.Text==null)
            chngfname.Text="Select Firstname from Login where Email='"+Session["UserName"]+"'";
        if (chnglastname.Text == null)
            chnglastname.Text = "Select Lastname from Login where Email='" + Session["UserName"] + "'";
        if (chngage.Text == null)
            chngage.Text = "Select age from Login where Email='" + Session["UserName"] + "'";
        if (chngemail.Text == null)
            chngemail.Text = "Select Email from Login where Email='" + Session["UserName"] + "'";
        if (radiogender == null)
            radiogender = "Select gender from Login where Email='" + Session["UserName"] + "'";
        if (chngpassword.Text == null)
            chngpassword.Text = "Select Password from Login where Email='" + Session["UserName"] + "'";
        if ( FileUpload2.HasFile==null)
             sImageFileExtension = "Select profile_pic from Login where Email='" + Session["UserName"] + "'";
        if (chngfname.Text == null)
            chngfname.Text = "Select Firstname from Login where Email='" + Session["UserName"] + "'";
        cmd.CommandText =  "Update Login set FirstName = '"+chngfname.Text+"',LastName='"+chnglastname.Text+"',Email='"+chngemail.Text+"',Password='"+chngpassword.Text+"' ,gender='"+radiogender+"',age='"+chngage.Text+"' , profile_pic='"+ next + sImageFileExtension + "' where Email='"+Session["UserName"]+"'";  
        cmd.CommandType = CommandType.Text; 
        cmd.ExecuteNonQuery();
        }
    }

为什么即使我提到要取它,它也不取以前的值。请检查并整理出来

4

2 回答 2

2

发生这种情况是因为 TextBox.Text 永远不会为空,因此您的 SQL 查询最终看起来像这样:

Update Login 
  set FirstName = '', 
      LastName = '',
where Email = 'John.doe@nowhere.net'

-- etc...

除了数据实际设置为某物的一两个字段。这可能是您希望它看起来的样子:

update login
  set FirstName = 'John', 
      LastName = (select Lastname from login where email = 'John.doe@nowhere.net'), 
      etc...
where email = 'John.doe@nowhere.net'

但是,不需要子查询。如果要避免覆盖值为 null 或空字符串的值,则希望 SQL 如下所示,请使用参数并在文本框为空时将其设置为 DbNull。

cmd.Parameters.AddWithValue("@FirstName", (chngfname.Text == String.Empty) ? DbNull.Value : chngfname.Text;

update login
  set FirstName = coalesce(@firstName, FirstName), 
      LastName = coalesce(@LastName, LastName), 
      etc...
where Email = @Email

另一个选项是首先选择记录(我确定您已经完成了),然后简单地使用数据库中已有的相同值。

if (chngfname.Text == String.Empty) chngfname.Text = Session["CurrentUserEntity"].FirstName;

此外,您需要将其更改为参数化查询:

string sql = "update login set FirstName = @firstName, LastName = @lastName, etc... where email = @email;
cmd.Parameters.Add(...);
于 2012-08-25T13:26:42.863 回答
1

您应该尝试使用参数化查询而不是当前的字符串连接方法。
这将解决引用问题并防止 sql 注入攻击

cmd.CommandText =  "Update Login set FirstName = @First, LastName=@Last, " +
                   "Email=@Mail, Password=@Pass, gender=@Gend,age=@Age, " + 
                   "profile_pic=@Prof " + 
                   "where Email=@oldMail";
cmd.Parameters.AddWithValue("@First", chngfname.Text);
cmd.Parameters.AddWithValue("@Last", chnglastname.Text);
cmd.Parameters.AddWithValue("@Mail", chngemail.Text);
cmd.Parameters.AddWithValue("@Pass", chngpassword.Text);
cmd.Parameters.AddWithValue("@Gend", radiogender);
cmd.Parameters.AddWithValue("@Age", chngage.Text);
cmd.Parameters.AddWithValue("@Prof", next + sImageFileExtension );
cmd.Parameters.AddWithValue("@oldMail", +Session["UserName"]);

但是,正如我在之前的评论中所说,您的代码似乎不正确。
首先 TextBox.Text 不能为空,它是一个空字符串。这将跳过上面的空值文本,最后在数据库中设置一个空值。至少尝试改变测试

if(string.IsNullOrEmpty(chngfname.Text))
    ......

但是此时您应该更改上面每个 if 中的代码。如果您的意图是从数据库中检索旧值并在空字符串的情况下使用它们,则需要执行该字符串,而不是将其存储在文本框中。

编辑:在开始更新过程之前,您需要加载您尝试更新的记录的旧值。这可以使用相同的连接来完成

   SqlDataAdapter da = new SqlDataAdapter("SELECT * from Login where EMail = @oldMail", con);
   da.SelectCommand.Parameters.AddWithValue("@oldMail", Session["UserName");
   DataTable dt = new DataTable();
   da.Fill(dt);

现在您在数据表中拥有该用户的所有旧值,因此当您检查旧值时,您可以编写类似这样的内容

if(string.IsNullOrEmpty(chngfname.Text))
    cngfname.Text = (dt.Rows["FirstName"]  == DBNull.Value ? string.Empty : dt.Rows["FirstName"].ToString());

并删除该 sql 字符串,因为您已经检索到每个可能丢失的字段的值

于 2012-08-25T13:27:31.020 回答