0

我正在尝试使用以下代码填充带有名字和姓氏的文本框:

using (OleDbConnection connName = new OleDbConnection(strCon))
            {

                String sqlName = "SELECT forename, Surname FROM customer WHERE [customerID]=" + txtCustomerID.Text;

                // Create a command to use to call the database.
                OleDbCommand commandname = new OleDbCommand(sqlName, connName);
                 connName.Open();
                // Create a reader containing the results


                using (OleDbDataReader readerName = commandname.ExecuteReader())
                {
                    readerName.Read(); // Advance to the first row.
                    txtName.Text = readerName[0].ToString();
                }
                connName.Close();                 

             }

但是我得到了错误:OleDbException未处理。

“多个必需参数之一没有必需值”

ExecuteReader,我不知道如何解决这个问题。

编辑:下面的代码与查询中的信息几乎完全相同,但不会出现此异常。

  string strCon = Properties.Settings.Default.PID2dbConnectionString;

        using (OleDbConnection conn = new OleDbConnection(strCon))
        {
            String sqlPoints = "SELECT points FROM customer WHERE [customerID]=" + txtCustomerID.Text;
            conn.Open();

            // Create a command to use to call the database.
            OleDbCommand command = new OleDbCommand(sqlPoints, conn);
            // Create a reader containing the results

            using (OleDbDataReader reader = command.ExecuteReader())
            {
                reader.Read(); // Advance to the first row.
                txtPoints.Text = reader[0].ToString(); // Read the contents of the first column
            }
            conn.Close();
        }
4

2 回答 2

1

通常的原因是 null 或空字符串,即 txtCustomerID.Text 没有值,因此发送到服务器的查询是:

SELECT forename, Surname FROM customer WHERE [customerID]=

您可以避免此类错误和SQL Injection,使用强类型参数并使用参数化查询避免数据截断(我假设客户 ID 是一个 int 字段)

    using (OleDbConnection connName = new OleDbConnection(strCon))
    {
        String sqlName = "SELECT forename, Surname FROM customer WHERE customerID = @CustomerID";

        // Create a command to use to call the database.
        using (OleDbCommand commandname = new OleDbCommand(sqlName, connName))
        {

            //Check the input is valid
            int customerID = 0;
            if (!int.TryParse(txtCustomerID.Text, out customerID))
            {
                txtName.Text = "Customer ID Text box is not an integer";
                return;
            }


            connName.Open();

            // Add the parameter to the command
            commandname.Parameters.Add("@CustomerID", OleDbType.Integer).Value = customerID;

            // Create a reader containing the results
            using (OleDbDataReader readerName = commandname.ExecuteReader())
            {
                readerName.Read(); // Advance to the first row.
                txtName.Text = readerName[0].ToString();
            }
            connName.Close();                 
        }
    }
于 2013-01-10T18:19:32.017 回答
0

您必须对字符串查询中使用的参数进行编码。

  String sqlName = String.Format("SELECT forname, Surname FROM customer WHERE customerID={0}",txtCustomerID.Text);

但我建议您不要使用硬编码在字符串中的 SQL 查询。SQL注入攻击的简单方法。您应该改用参数。

于 2013-01-10T17:08:29.547 回答