问题
I'm trying to run this register form and whenever I try to run it I get an error saying that I have a mistake when using the INSERT INTO command.
Here is the error log: http://i.imgur.com/dQYP0U7.png
And here is the full code:
protected void Page_Load(object sender, EventArgs e)
{
string username = Request.Form["username"];
string password = Request.Form["password"];
string email = Request.Form["email"];
OleDbConnection dbCon = new OleDbConnection();
OleDbCommand dbCmd = new OleDbCommand();
String Path = Server.MapPath(@"../App_Data/XXX.mdb;");
dbCon.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data source=" + Path;
dbCmd.Connection = dbCon;
OleDbDataAdapter dataA = new OleDbDataAdapter(dbCmd);
dbCmd.CommandText = String.Format("SELECT * FROM Members where username = '{0}';", username);
DataTable dataT = new DataTable();
dataA.Fill(dataT);
if (dataT.Rows.Count == 0)
{
//dbCmd.CommandText = String.Format("INSERT INTO Members (username, password, email) VALUES ('{0}','{1}','{2}');", username, password, email);
dbCmd.CommandText = String.Format("INSERT INTO Members (username, password, email) VALUES ('" + username + "','" + password + "','" + email + "')");
dbCon.Open();
dbCmd.ExecuteNonQuery();
dbCon.Close();
}
else
{
Response.Write("That username is alredy taken");
Response.Redirect("register.aspx");
}
}
I want it to execute the command properly and add it to the database. As you can see, I tried using 2 methods of entering data into the database
dbCmd.CommandText = String.Format("INSERT INTO Members (username, password, email) VALUES ('{0}','{1}','{2}');", username, password, email);
And
dbCmd.CommandText = String.Format("INSERT INTO Members (username, password, email) VALUES ('" + username + "','" + password + "','" + email + "')");
None of them worked.
Can anyone help me solve this problem?
Thank you :)
回答1:
The problem is that Email addresses contain the @ symbol, which is interpreted as a sql parameter.
The solution is to use parameters properly
回答2:
TLDR; the code is bad, open to all sorts of stuff. db conn info in plain site should not be. you need a parameterized stored procedure to do this safely. Sanitize the data on the client side, and write your code to handle special symbols.Set the form collected values to SQL input params, call your sproc passing them in, so something based on the return value.
(the longer explanation) 1. Put your connection string information into a web.config file 2. Enforce some client side validation 3. Create a single stored procedure that will update or insert based on if the name already exists 4. Run your code to login passing into the SPROC the data you collected from your form as the input parameters to the sproc.
i am missing a lot of pseudo code etc. If you were curious about the concept that is it, If you are looking for the actual code I can help you out another time.
来源:https://stackoverflow.com/questions/28973816/whenever-i-try-to-run-this-code-it-gives-me-an-error-asp-net-sql