-1

我想问为什么查询返回 null 而不是更新我想要的。对不起,我还是asp.net新手c#

myquery = "UPDATE kenderaan SET buatan = " + "'" + carmake + "'" + "," +
          "model = " + "'" + carmodel + "'" + "," +
          "no_enjin = " + "'" + carenjin + "'" + "," +
          "cc = " + carcc + "," +
          "seatCapacity = " + carseat + "," +
          "tahunBuatan = " + caryear + " WHERE no_kenderaan = " + "'" + carid + "'" + "," +
          "AND ic = " + "'" + cusid + "'";


connection = new DbConnection();
connection.Update(myquery);
4

3 回答 3

3

将您的代码重组为此,使用Connection对象,Command对象,using语句。

string myquery = "UPDATE kenderaan SET buatan = @carmake ," +
              "     model = @carmodel ," +
              "     no_enjin =  @carenjin ," +
              "     cc = @carcc ," +
              "     seatCapacity =  @carseat ," +
              "     tahunBuatan = @caryear " +
              "WHERE no_kenderaan = @carid " +
              "     AND ic = @cusid ";

using (MySqlConnection _conn = new MySqlConnection("connectionStringHere"))
{
    using (MySqlCommand _comm = new  MySqlCommand())
    {
        _comm.Connection = _conn;
        _comm.CommandText = myquery;
        _comm.CommandType = CommandType.Text;
        _comm.Parameters.AddWithValue("@carmake",carmake);
        _comm.Parameters.AddWithValue("@carmodel",carmodel);
        _comm.Parameters.AddWithValue("@carenjin",carenjin);
        _comm.Parameters.AddWithValue("@carcc",carcc);
        _comm.Parameters.AddWithValue("@carseat",carseat);
        _comm.Parameters.AddWithValue("@caryear",caryear);
        _comm.Parameters.AddWithValue("@carid",carid);
        _comm.Parameters.AddWithValue("@cusid",cusid);

        try
        {
            _conn.Open();
            _comm.ExecuteNonQuery();
            MessageBox.Show("Updated!");
        }
        catch (MySqlException e)
        {
            MessageBox.Show(e.ToString()); // as mentioned on the comment
        }

    }
}

需要参数化查询的原因:

  • 避免 SQL 注入
  • 使您的代码更具可读性
  • 等等.. :D

来源

于 2012-11-06T04:04:05.093 回答
1

通过 using方法创建一个DbCommand执行Update语句。ExecuteNonQuery()如果您正在使用,SQL Server那么您可以使用这段代码片段:

using System.Data.SqlClient;

string query = "UPDATE kenderaan SET buatan = @carmake" +
          ", model = @carmodel" +
          ", no_enjin =  @carenjin" +
          ", cc = @carcc" +
          ", seatCapacity = @carseat" +
          ", tahunBuatan = @caryear" +
          " WHERE no_kenderaan = @carid AND ic = @cusid";

using (SqlConnection conn = new SqlConnection("<connection string>"))
{
    using (SqlCommand cmd = new SqlCommand(query, conn))
    {
        cmd.Parameters.AddWithValue("@carmake", carmake);
        cmd.Parameters.AddWithValue("@carmodel", carmodel);
        cmd.Parameters.AddWithValue("@carenjin", carenjin);
        cmd.Parameters.AddWithValue("@carcc", carcc);
        cmd.Parameters.AddWithValue("@carseat", carseat);
        cmd.Parameters.AddWithValue("@caryear", caryear);
        cmd.Parameters.AddWithValue("@carid", carid);
        cmd.Parameters.AddWithValue("@cusid", cusid);

        conn.Open();
        cmd.ExecuteNonQuery();            
    }
}
于 2012-11-06T03:55:40.000 回答
-1

尝试使用此代码代替您的代码:

并确保 varchar 参数与字符串值进行比较。

 string myquery = "UPDATE kenderaan SET buatan = '" + carmake + "',model = '"+ 
 carmodel + "',no_enjin = '" +carenjin + "',cc = " + carcc + ",seatCapacity = " + 
 carseat + ",tahunBuatan = " + caryear +
 " WHERE no_kenderaan = '" + carid +  "' AND ic = '" + cusid + "'";


        connection = new DbConnection();
        connection.Update(myquery);

更新:抱歉,我刚刚用你的 where 条件更正了你的查询,我刚刚删除了你用来分隔两个条件的逗号。

为避免 SQL 注入攻击,请使用以下之一:

1)Parameters with Stored Procedures

2)Use Parameters with Dynamic SQL

3)Constrain Input

你可以在这里找到更多信息

于 2012-11-06T04:16:58.287 回答