Asp.net 下拉列表框中的特殊字符出错
Asp.net Special Character in dropdownlist box giving error
我正在从数据库中填充下拉列表框。在数据库中,数据中有一些特殊的章程(软件,--管理等)。当我单击显示按钮以根据所选值查看记录时,出现以下错误..
“/”应用程序中的服务器错误。
's' 附近的语法不正确。
字符串 ' ' 后的非闭合引号。
说明:在执行当前 Web 请求期间发生未处理的异常。请查看堆栈跟踪以获取有关错误及其在代码中的来源的详细信息。
Exception Details: System.Data.SqlClient.SqlException: Incorrect syntax near 's'.
Unclosed quotation mark after the character string ' '.
Source Error:
Line 208: SqlDataAdapter da = new SqlDataAdapter(cmd);
Line 209: DataSet ds = new DataSet();
Line 210: da.Fill(ds);
Line 211: gvUsrEdit.DataSource = ds;
Line 212: gvUsrEdit.DataBind();
请帮忙。
//ON page Load Binding all 4 DDL
protected void Page_Load(object sender, EventArgs e)
{
string ses1 = Session["s"].ToString();
if (!IsPostBack)
{
string str5 = "SELECT distinct v_UserID FROM tblUsrMain WHERE v_UserID= '" + ses1 + "'";
da1 = new SqlDataAdapter(str5, con);
dt1 = new DataTable();
da1.Fill(dt1);
ddlEmpName.DataSource = dt1;
ddlEmpName.DataTextField = "v_UserID";
ddlEmpName.DataValueField = "v_UserID";
ddlEmpName.DataBind();
}
}
//Current Code whcih is giving error
protected void btnShow_Click(object sender, EventArgs e)
{
string strquery = "select * from btaprs2 where vEmpID='" + ddlEmpName.Text + "' and vQuarter='" + ddlQuater.Text + "' and vyear1='" + ddlyear.Text + "' and tKRA='" + ddlKRA.Text + "' and v10='Active'";
SqlCommand cmd = new SqlCommand(strquery, con);
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
da.Fill(ds);
gvUsrEdit.DataSource = ds;
gvUsrEdit.DataBind();
con.Close();
}
//New Code i am thinking about
protected void btnShow_Click(object sender, EventArgs e)
{
string d1 = ddlEmpName.Text;
string d2 = ddlQuater.Text;
string d3 = ddlyear.Text;
string d4 = ddlKRA.Text;
string strquery = "select * from btaprs2 where vEmpID=@d1 and vQuarter=@d2 and vyear1=@d3 and tKRA=@d4 and v10='Active' ";
if (con.State != ConnectionState.Closed)
{
con.Close();
}
con.Open();
SqlCommand cmd = new SqlCommand(strquery, con);
cmd.Parameters.AddWithValue("@d1", d1);
cmd.Parameters.AddWithValue("@d2", d2);
cmd.Parameters.AddWithValue("@d3", d3);
cmd.Parameters.AddWithValue("@d4", d4);
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
da.Fill(ds);
gvUsrEdit.DataSource = ds;
gvUsrEdit.DataBind();
con.Close();
}
尝试像这样发送参数
protected void btnShow_Click(object sender, EventArgs e)
{
string d1 = ddlEmpName.Text;
string d2 = ddlQuater.Text;
string d3 = ddlyear.Text;
string d4 = ddlKRA.Text;
string strquery = "select * from btaprs2 where vEmpID=@d1 and vQuarter=@d2 and vyear1=@d3 and tKRA=@d4 and v10='Active' ";
if (con.State != ConnectionState.Closed)
{
con.Close();
}
con.Open();
SqlCommand cmd = new SqlCommand(strquery, con);
cmd.Parameters.AddWithValue("@d1", d1);
cmd.Parameters.AddWithValue("@d2", d2);
cmd.Parameters.AddWithValue("@d3", d3);
cmd.Parameters.AddWithValue("@d4", d4);
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
da.Fill(ds);
gvUsrEdit.DataSource = ds;
gvUsrEdit.DataBind();
con.Close();
}
您应始终在查询中使用参数 - 切勿将 SQL 语句连接在一起。
SQL 注射
SQL injection is a code injection technique that exploits a security
vulnerability occurring in the database layer of an application. The
vulnerability is present when user input is either incorrectly
filtered for string literal escape characters embedded in SQL
statements or user input is not strongly typed and thereby
unexpectedly executed. It is an instance of a more general class of
vulnerabilities that can occur whenever one programming or scripting
language is embedded inside another. SQL injection attacks are also
known as SQL insertion attacks
我正在从数据库中填充下拉列表框。在数据库中,数据中有一些特殊的章程(软件,--管理等)。当我单击显示按钮以根据所选值查看记录时,出现以下错误..
“/”应用程序中的服务器错误。 's' 附近的语法不正确。 字符串 ' ' 后的非闭合引号。 说明:在执行当前 Web 请求期间发生未处理的异常。请查看堆栈跟踪以获取有关错误及其在代码中的来源的详细信息。
Exception Details: System.Data.SqlClient.SqlException: Incorrect syntax near 's'.
Unclosed quotation mark after the character string ' '.
Source Error:
Line 208: SqlDataAdapter da = new SqlDataAdapter(cmd);
Line 209: DataSet ds = new DataSet();
Line 210: da.Fill(ds);
Line 211: gvUsrEdit.DataSource = ds;
Line 212: gvUsrEdit.DataBind();
请帮忙。
//ON page Load Binding all 4 DDL
protected void Page_Load(object sender, EventArgs e)
{
string ses1 = Session["s"].ToString();
if (!IsPostBack)
{
string str5 = "SELECT distinct v_UserID FROM tblUsrMain WHERE v_UserID= '" + ses1 + "'";
da1 = new SqlDataAdapter(str5, con);
dt1 = new DataTable();
da1.Fill(dt1);
ddlEmpName.DataSource = dt1;
ddlEmpName.DataTextField = "v_UserID";
ddlEmpName.DataValueField = "v_UserID";
ddlEmpName.DataBind();
}
}
//Current Code whcih is giving error
protected void btnShow_Click(object sender, EventArgs e)
{
string strquery = "select * from btaprs2 where vEmpID='" + ddlEmpName.Text + "' and vQuarter='" + ddlQuater.Text + "' and vyear1='" + ddlyear.Text + "' and tKRA='" + ddlKRA.Text + "' and v10='Active'";
SqlCommand cmd = new SqlCommand(strquery, con);
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
da.Fill(ds);
gvUsrEdit.DataSource = ds;
gvUsrEdit.DataBind();
con.Close();
}
//New Code i am thinking about
protected void btnShow_Click(object sender, EventArgs e)
{
string d1 = ddlEmpName.Text;
string d2 = ddlQuater.Text;
string d3 = ddlyear.Text;
string d4 = ddlKRA.Text;
string strquery = "select * from btaprs2 where vEmpID=@d1 and vQuarter=@d2 and vyear1=@d3 and tKRA=@d4 and v10='Active' ";
if (con.State != ConnectionState.Closed)
{
con.Close();
}
con.Open();
SqlCommand cmd = new SqlCommand(strquery, con);
cmd.Parameters.AddWithValue("@d1", d1);
cmd.Parameters.AddWithValue("@d2", d2);
cmd.Parameters.AddWithValue("@d3", d3);
cmd.Parameters.AddWithValue("@d4", d4);
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
da.Fill(ds);
gvUsrEdit.DataSource = ds;
gvUsrEdit.DataBind();
con.Close();
}
尝试像这样发送参数
protected void btnShow_Click(object sender, EventArgs e)
{
string d1 = ddlEmpName.Text;
string d2 = ddlQuater.Text;
string d3 = ddlyear.Text;
string d4 = ddlKRA.Text;
string strquery = "select * from btaprs2 where vEmpID=@d1 and vQuarter=@d2 and vyear1=@d3 and tKRA=@d4 and v10='Active' ";
if (con.State != ConnectionState.Closed)
{
con.Close();
}
con.Open();
SqlCommand cmd = new SqlCommand(strquery, con);
cmd.Parameters.AddWithValue("@d1", d1);
cmd.Parameters.AddWithValue("@d2", d2);
cmd.Parameters.AddWithValue("@d3", d3);
cmd.Parameters.AddWithValue("@d4", d4);
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
da.Fill(ds);
gvUsrEdit.DataSource = ds;
gvUsrEdit.DataBind();
con.Close();
}
您应始终在查询中使用参数 - 切勿将 SQL 语句连接在一起。
SQL 注射
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks