列名“”无效
protected void LoadMessage(string str1, string str2)
{
SqlConnection con = new SqlConnection(strConstrin);
con.Open();
sqlString = "select * from Student where " + str1 + "=" + str2 + "";
SqlCommand cmd = new SqlCommand(sqlString, con);
SqlDataAdapter SqlAd = new SqlDataAdapter(cmd);
DataSet Rs = new DataSet();
SqlAd.Fill(Rs);
DataTable NewsTable = Rs.Tables[0];
this.GridView1.DataSource = NewsTable;
this.GridView1.DataBind();
con.Close();
}
protected void Button1_Click(object sender, EventArgs e)
{
string name = TextBox1.Text;
LoadMessage("Name", name);
}
输入textbox的值后,总是提示
列名 '黄生' 无效。
说明: 执行当前 Web 请求期间,出现未经处理的异常。请检查堆栈跟踪信息,以了解有关该错误以及代码中导致错误的出处的详细信息。
异常详细信息: System.Data.SqlClient.SqlException: 列名 '武凯亮' 无效。
源错误:
行 42: SqlDataAdapter SqlAd = new SqlDataAdapter(cmd);
行 43: DataSet Rs = new DataSet();
行 44: SqlAd.Fill(Rs);
行 45: DataTable NewsTable = Rs.Tables[0];
行 46: this.GridView1.DataSource = NewsTable;
源文件: c:\Users\Administrator\Desktop\学生信息管理系统\Maneger.aspx.cs 行: 44
堆栈跟踪:
[SqlException (0x80131904): 列名 '武凯亮' 无效。]
System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) +2062238
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +5050268
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning() +234
System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) +2275
System.Data.SqlClient.SqlDataReader.ConsumeMetaData() +33
System.Data.SqlClient.SqlDataReader.get_MetaData() +86
System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) +311
System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) +987
System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) +162
System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) +32
System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method) +141
System.Data.SqlClient.SqlCommand.ExecuteDbDataReader(CommandBehavior behavior) +12
System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior) +10
System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) +144
System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) +319
System.Data.Common.DbDataAdapter.Fill(DataSet dataSet) +94
Maneger.LoadMessage(String str1, String str2) in c:\Users\Administrator\Desktop\学生信息管理系统\Maneger.aspx.cs:44
Maneger.Button1_Click(Object sender, EventArgs e) in c:\Users\Administrator\Desktop\学生信息管理系统\Maneger.aspx.cs:59
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +118
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +112
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +36
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +5563
[解决办法]
你既然就是要根据名称查询,就没必要传两个参数进去
protected void LoadMessage(string str1)
{
SqlConnection con = new SqlConnection(strConstrin);
con.Open();
sqlString = "select * from Student where Name='" + str2 + "'";
SqlCommand cmd = new SqlCommand(sqlString, con);
SqlDataAdapter SqlAd = new SqlDataAdapter(cmd);
DataSet Rs = new DataSet();
SqlAd.Fill(Rs);
DataTable NewsTable = Rs.Tables[0];
this.GridView1.DataSource = NewsTable;
this.GridView1.DataBind();
con.Close();
}
protected void Button1_Click(object sender, EventArgs e)
{
string name = TextBox1.Text;
LoadMessage(name);
}
最后强烈建议参数化查询,防止sql注入
[解决办法]
sqlString = "select * from Student where " + str1 + "=" + str2 + "";
错了,把它改为:
sqlString = "select * from Student where " + str1 + "='" + str2 + "'";
因为你输入的是字符串,并且你定义的那个“Name”应该是varchar类型的吧。正确的代码运行调试时,代码如下:
select * from Student where Name='name'
这样是把问题解决了,但是还有点不足就是如六楼所说的,为了防止sql注入,建议使用参数化查询,别用这种方法。
