OleDbCommand system = new OleDbCommand();
system.CommandType = CommandType.Text;
system.CommandText = "DELETE FROM Student WHERE(ID= '" +
txtStudentIDnumber.Text + "')";
system.Connection = mydatabase;
mydatabase.Open();
system.ExecuteNonQuery();
dataGridView1.Update();
this.tableAdapterManager.UpdateAll(csharrpfinalprojectDataSet);
mydatabase.Close();
MessageBox.Show("Student Record Deleted.", "deleting record...");
问问题
1734 次
3 回答
2
OleDbCommand system = new OleDbCommand();
system.CommandType = CommandType.Text;
system.CommandText = "DELETE FROM Student WHERE ID=@ID";
system.Parameters.AddWithValue("@ID", txtStudentIDnumber.Text);
system.Connection = mydatabase;
mydatabase.Open();
system.ExecuteNonQuery();
dataGridView1.Update();
this.tableAdapterManager.UpdateAll(csharrpfinalprojectDataSet);
mydatabase.Close();
MessageBox.Show("Student Record Deleted.", "deleting record...");
于 2012-09-18T12:10:37.090 回答
2
在您的命令文本中,您需要删除(')
周围的单引号,txtStudentIDnumber.Text
因为它显示 ID 是整数类型,并且您将其作为字符串传递。以下应该修复错误。
system.CommandText = "DELETE FROM Student WHERE(ID= " + txtStudentIDnumber.Text + ")";
编辑:关于@mdb 注释,您应该始终在查询中使用参数,这样您就可以避免SQL Injection。考虑以下:
OleDbCommand system = new OleDbCommand();
system.CommandType = CommandType.Text;
system.CommandText = "DELETE FROM Student WHERE ID = ?";
OleDbParameter parameter = new OleDbParameter("ID", txtStudentIDnumber.Text);
system.Parameters.Add(parameter);
system.Connection = mydatabase;
mydatabase.Open();
system.ExecuteNonQuery();
dataGridView1.Update();
于 2012-09-18T09:54:34.037 回答
1
当用户输入 for 时会发生什么txtStudentIDNumber
,
1 or 1=1
在这种情况下,硬编码的 SQL 字符串将是,
DELETE FROM Student WHERE(ID=1 or 1=1)
所以更喜欢参数化的 sql 语句而不是硬编码的字符串。
using(OleDbConnection cn=new OleDbConnection(cnStr))
{
using(OleDbCommand cmd=new OleDbCommand())
{
cmd.CommandText="DELETE FROM Student WHERE ID=@ID";
cmd.Connection=cn;
cmd.Parameters.Add("@ID",SqlDbType.Int).Value=txtStudentIDnumber.Text;
cn.Open();
cmd.ExecuteNonQuery();
cn.Close();
}
}
于 2012-09-18T10:07:44.033 回答