我想执行现有记录的更新..我在这里粘贴我的代码的方式我已成功完成我的任务但我不想通过这种方式实际更新..我想这样做,我得到了客户的身份..
private void btnUpdate_Click(object sender, EventArgs e)
{
SqlConnection cn = new SqlConnection(@"Data Source=COMPAQ-PC-PC\SQLEXPRESS;Initial Catalog=Gym;Integrated Security=True");
if (cn.State == ConnectionState.Closed)
{
cn.Open();
}
int result = new SqlCommand("Update Customer set Customer_Name = '" + tbName.Text + "',Cell_Number = '" + tbContactNumber.Text + "',Customer_Address = '" + tbAddress.Text + "' where CustomerID = " + tbID.Text, cn).ExecuteNonQuery();
if (cn.State == ConnectionState.Open)
{
cn.Close();
}
cn.Dispose();
BindGridView();
}
private void BindGridView()
{
SqlConnection cn = new SqlConnection(@"Data Source=COMPAQ-PC-PC\SQLEXPRESS;Initial Catalog=Gym;Integrated Security=True");
SqlCommand cmd = new SqlCommand("Select * from Customer", cn);
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);
dgView_CustomerInfo.DataSource = dt.DefaultView;
}
private void dgView_CustomerInfo_RowHeaderMouseClick(object sender, DataGridViewCellMouseEventArgs e)
{
tbID.Text = dgView_CustomerInfo.Rows[e.RowIndex].Cells["CustomerID"].Value.ToString();
tbName.Text = dgView_CustomerInfo.Rows[e.RowIndex].Cells["Customer_Name"].Value.ToString();
tbContactNumber.Text = dgView_CustomerInfo.Rows[e.RowIndex].Cells["Cell_Number"].Value.ToString();
tbAddress.Text = dgView_CustomerInfo.Rows[e.RowIndex].Cells["Customer_Address"].Value.ToString();
}
上面的编码大猩猩已经给你一个非常好的答案,我支持它.
在你上线20分钟后,你会发现自己要问的问题是:"嘿,所有这些黑客是如何得到我的数据的?"
上面的方法是RIPE for SQL Injection.请在此处阅读:http://www.securiteam.com/securityreviews/5DP0N1P76E.html
不要将这样的代码投入生产.清理输入并使用参数化查询进行数据库交互.
| 归档时间: |
|
| 查看次数: |
215 次 |
| 最近记录: |