asp.net 后台添加数据时 提示DBHelper.cs 类出现为题
网站后台添加数据时提示
“/400visa”应用程序中的服务器错误。
--------------------------------------------
',' 附近有语法错误。
说明: 执行当前 Web 请求期间,出现未经处理的异常。请检查堆栈跟踪信息,以了解有关该错误以及代码中导致错误的出处的详细信息。
异常详细信息: System.Data.SqlClient.SqlException: ',' 附近有语法错误。
源错误:
行 64: }
行 65: conn.Open();
行 66: result = Convert.ToInt32(cmd.ExecuteScalar());
行 67:
行 68: }
源文件: E:\test\software\400visa\houtai\visa.DAL\DBHelper.cs 行: 66
堆栈跟踪:
[SqlException (0x80131904): ',' 附近有语法错误。]
System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) +2062238
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +5050268
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning() +234
System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) +2275
System.Data.SqlClient.SqlDataReader.ConsumeMetaData() +33
System.Data.SqlClient.SqlDataReader.get_MetaData() +86
System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) +311
System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) +987
System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) +162
System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) +32
System.Data.SqlClient.SqlCommand.ExecuteScalar() +139
visa.DAL.DBHelper.GetScalar(String sql, SqlParameter[] values) in E:\test\software\400visa\houtai\visa.DAL\DBHelper.cs:66
visa.DAL.Td_VisaService.InsertTd_Visa(Td_Visa td_Visa) in E:\test\software\400visa\houtai\visa.DAL\Td_VisaService.cs:46
visa.BLL.Td_VisaManager.AddTd_Visa(Td_Visa td_Visa) in E:\test\software\400visa\houtai\visa.BLL\Td_VisaManager.cs:20
systemadmin_tab_visaAdd.BtnAdd_Click(Object sender, EventArgs e) in e:\test\software\400visa\systemadmin\tab\visaAdd.aspx.cs:86
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +118
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +112
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +36
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +5563
网站做了伪静态,前台页面链接通过id(http://localhost:1510/400visa/nation_5.html)传递参数访问数据库 现在把id改为name来传递参数(http://localhost:1510/400visa/nation_American.html)
.bll添加了一个方法 通过name获得id
public static Td_Country GetTd_CountryByCouEname(string CouEname)
{
return Td_CountryService.SelectTd_CountryByCouEname(CouEname);
}
public static Td_Country SelectTd_CountryByCouEname(string CouEname)
{
Td_Country info = null;//返回值
string sql = string.Format("SELECT * FROM Td_Country WHERE CouEname =\'{0}\'", CouEname);
IList<Td_Country> list = SelectTd_CountriesBySql(sql);
if (list.Count > 0)
{
info = list[0];
}
return info;
}
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
string get = Request.QueryString["id"].ToString();
string[] array = get.Split('_');
string name = array[1];
cont = Td_CountryManager.GetTd_CountryByCouEname(name);
int id = cont.CouId;
string sql = string.Format("select * from td_region where countryid={0}", id);
Repeaterdq.DataSource = Td_RegionManager.SelectAllTd_RegionsBySql(sql);
Repeaterdq.DataBind();
string qzzl = "";
sql = string.Format("select visaname from td_visa where visaregionid in(select regionid from td_region where countryid={0})and visatype=1 group by visaname", id);
DataTable table = DBHelper.GetTable(sql);
foreach (DataRow row in table.Rows)
{
qzzl += "<li><p style='width:330px;'>" + row["visaname"].ToString() + daqu(id, row["visaname"].ToString()) + "</p></li>";
}
Literal1.Text = qzzl;
sql = string.Format("select top 10 * from td_question where countryid={0} order by questiontime desc", id);
Repeaterwt.DataSource = Td_QuestionManager.SelectAllTd_QuestionsBySql(sql);
Repeaterwt.DataBind();
sql = "select top 10 * from td_message where messagetype=5 order by messagetime desc";
Repeaterkx.DataSource = Td_MessageManager.SelectAllTd_MessagesBySql(sql);
Repeaterkx.DataBind();
public static int GetScalar(string safeSql)
{
return GetScalar(safeSql,null);
}
public static int GetScalar(string sql, params SqlParameter[] values)
{
int result = 0;
using (SqlConnection conn = new SqlConnection(connString))
{
SqlCommand cmd = new SqlCommand(sql, conn);
if (values != null)
{
cmd.Parameters.AddRange(values);
}
conn.Open();
result = Convert.ToInt32(cmd.ExecuteScalar());
}
return result;
}
[解决办法]
sql语句有问题,你连防止SQL注入都不写,这代码能安全吗?
我猜CouEname里既有单引号,又有逗号,所以导致拼的sql语句有问题
[解决办法]
那就是其他的拼接的sql语句有问题,你跟踪一下把那条sql语句书出来看看就知道了
