0

在我的应用程序中,当用户单击删除按钮时,允许用户从网格视图中删除整行。但在删除查询中出现错误。错误是“无效的列名”我的代码如下:

<asp:GridView ID="GridView1" runat="server"  DataKeyNames="Username" AutoGenerateColumns="false" OnPageIndexChanging="GridView1_PageIndexChanging" OnRowDeleting="GridView1_RowDeleting" >
<Columns>
<asp:BoundField DataField="UserName" HeaderText="UserName" ReadOnly="true" />
<asp:BoundField DataField="Name" HeaderText="Name" ReadOnly="true" />
<asp:BoundField DataField="Password" HeaderText="Password" ReadOnly="true" />
<asp:BoundField DataField="Email" HeaderText="Email" ReadOnly="true" />
<asp:CommandField ShowDeleteButton="true"  />
</Columns>
</asp:GridView>

C#代码是:

SqlConnection conn = new SqlConnection(@"Data Source=CHINNU-PC\SQLEXPRESS; Initial Catalog= CarDetails; Integrated Security=True");

    protected void Page_Load(object sender, EventArgs e)
    {
        if (!IsPostBack)
        {
            gvbind();
        }
    }

    protected void gvbind()
    {
        conn.Open();
        SqlCommand cmd = new SqlCommand("Select * From [User]", conn);
        SqlDataAdapter da = new SqlDataAdapter(cmd);
        DataSet ds = new DataSet();
        da.Fill(ds);
        conn.Close();
        if (ds.Tables[0].Rows.Count > 0)
        {
            GridView1.DataSource = ds;
            GridView1.DataBind();
        }
    }

 public void Delete(string UserName)
        {
            string sql = "Delete From [User] Where UserName=" + UserName;

            conn.Open();
            SqlCommand cmd = new SqlCommand(sql, conn);
            cmd.ExecuteNonQuery();
            conn.Close();
            conn.Dispose();
        }
        protected void GridView1_RowDeleting(object sender, GridViewDeleteEventArgs e)
        {
            Delete(GridView1.DataKeys[e.RowIndex].Values[0].ToString());
            gvbind();
        }
4

2 回答 2

4

你会收到很多关于 SQL 注入等的评论......

但是,为了回答 - 您需要UserName在 SQL 语句中用单引号括起来。

所以这 -

string sql = "Delete From [User] Where UserName=" + UserName;

应该是这样的:

string sql = "Delete From [User] Where UserName='" + UserName + "'";
于 2013-08-22T16:25:31.437 回答
0

此代码对 SQL 注入攻击很开放,只需输入 ' OR 1=1;-- 作为用户名或密码,即可泄露所有用户名和密码。您创建 SQL 语句的方式使您的应用程序容易受到 SQL 注入的攻击,这是黑客入侵网站的最常见方式之一。而不是这样做,更喜欢参数化查询。

于 2018-09-06T07:14:55.177 回答