0

有人可以告诉我为什么我的代码不断收到“无效输入”吗?我已经检查了我的数据库几次,我似乎无法找到问题所在。我现在正在使用规范化数据库。

我刚刚注意到我粘贴了错误的代码

namespace MemorialSystem
{
    public partial class Reservation : Form
    {
        SqlConnection con;
        SqlCommand cmd;
        SqlDataAdapter adapter;
        SqlCommandBuilder cd;
        DataSet ds;

        public Reservation()
        {
            InitializeComponent();
        }

        private void button1_Click(object sender, EventArgs e)
        {
            Form1 o = new Form1();
            o.Show();
            this.Hide();
        }

        private void Reservation_Load(object sender, EventArgs e)
        {
            con = new SqlConnection("Data Source=(local);Initial Catalog=Memorial_park;Integrated Security=True");
            cmd = new SqlCommand("select * from Records", con);
            adapter = new SqlDataAdapter(cmd);
            cd = new SqlCommandBuilder(adapter);
            ds = new DataSet();
        }

        private void button2_Click(object sender, EventArgs e)
        {
            con.Open();
            try
            {

                if (textBox1.Text == "" || textBox2.Text == "" || textBox3.Text == "" || comboBox1.Text == "" || textBox8.Text == "" || dateTimePicker1.Value.ToString("yyyyMMdd HH:mm:ss") == "" || dateTimePicker2.Value.ToString("yyyyMMdd HH:mm:ss") == "" || textBox7.Text == "" || textBox5.Text == "" || dateTimePicker3.Value.ToString("yyyyMMdd HH:mm:ss") == "")
                {
                    MessageBox.Show("Please input a value!", "Error", MessageBoxButtons.OK, MessageBoxIcon.Exclamation);
                }
                else
                {
                    if (MessageBox.Show("Are you sure you want to reserve this record?", "Reserve", MessageBoxButtons.YesNo, MessageBoxIcon.Question) == DialogResult.Yes)
                    {
                        cmd = new SqlCommand("insert into Records(NameofLotOwner, HomeAddress, TelNo, RelationDeceased, NameOfDeceased, Address, DateofBirth, DateofDeath, PlaceofDeath, CausefDeath, DateofInterment) values('" + textBox1.Text + "', '" + textBox2.Text + "', '" + textBox3.Text + "', '" + comboBox1.SelectedItem + "', '" + textBox8.Text + "', '" + dateTimePicker1.Value.ToString("yyyyMMdd HH:mm:ss") + "', '" + dateTimePicker2.Value.ToString("yyyyMMdd HH:mm:ss") + "', '" + textBox7.Text + "', '" + textBox5.Text + "', '" + dateTimePicker3.Value.ToString("yyyyMMdd HH:mm:ss") + "')", con);

                        cmd.ExecuteNonQuery();

                        MessageBox.Show("Your reservation has been made!", "Reserve", MessageBoxButtons.OK, MessageBoxIcon.Information);
                    }
                }
            }

            catch (Exception x)
            {
                MessageBox.Show("Invalid Input");
            }
            con.Close();
        }

        private void label16_Click(object sender, EventArgs e)
        {

        }
    }
}
4

1 回答 1

4

我建议使用这样的参数化查询

   try
   {
        string cmdText = "select username, password from Login " + 
                         "where username=@uname and password=@pwd";
        using(SqlConnection con = new SqlConnection(.....))
        using(SqlCommand cmd = new SqlCommand(cmdText, con);
        {
            con.Open();
            cmd.Parameters.AddWithValue("@uname", textbox1.Text);
            cmd.Parameters.AddWithValue("@pwd", textbox2.Text);
            SqlDataReader reader = cmd.ExecuteReader();
            if (reader.Read())
            {
               ......
            }
        }
    {
    catch (Exception ex)
    {
         .....
    }

这样,如果您在用户名或密码中使用单引号,传递给底层引擎的语法将被框架代码正确引用,并且您可以避免 Sql Injection(请参阅评论中来自 dasblinkenlight 的链接)

编辑现在您已经更新了代码,我认为我的建议现在比以前更有效。
使用字符串连接来构建命令是一种非常糟糕的做法,正如您在像您这样的中等长度语句所需的所有引用中所看到的那样。
如果您使用 SqlCommand 的参数集合,您将避免所有这些与引用字符串、小数和日期时间值有关的混乱。

作为旁注,不要在表单的生命周期内保持全局连接对象打开。如果您忘记关闭和处置您的程序将开始泄漏资源并且您的应用程序变得不稳定(参见using 语句连接池

 cmd = new SqlCommand("insert into Records(NameofLotOwner, HomeAddress, TelNo, " + 
                      "RelationDeceased, NameOfDeceased, Address, DateofBirth, " + 
                      "DateofDeath, PlaceofDeath, CausefDeath, DateofInterment) " + 
                      "values(@p1, @p2, @p3,@p4, @p5 @p6, @p6, @p8, @p9,@p10, @p11)", con);
 cmd.Parameters.AddWithValue("@p1", textBox1.Text);
 .....
 cmd.Parameters.AddWithValue("@p6", dateTimePicker1.Value);
 .....
于 2013-09-14T14:50:41.787 回答