提问人:Robert DeCrescentis 提问时间:7/28/2018 最后编辑:marc_sRobert DeCrescentis 更新时间:7/28/2018 访问量:705
连接到 SQL Server 数据库 C# ASP.NET 时的 Null 引用 [重复]
Null Reference when connecting to SQL Server database C# ASP.NET [duplicate]
问:
尝试通过 Visual Studio 2017 连接到 SQL Server 数据库时,我一直收到空引用。下面是引用的位置以及它如何尝试连接以收集数据。请帮忙!谢谢!。
配置文件.aspx
protected void updateProfile(object sender, EventArgs e)
{
// Database entry
string message = "Your information has been updated accoridngly!<br><br>";
double number;
if (txtName.Text.Equals("") || ddlDegree.SelectedValue.Equals("") || txtExperience.Text.Equals("") || !Double.TryParse(txtExperience.Text, out number) || txtSalary.Text.Equals("") || txtStreet.Text.Equals("") || txtCity.Text.Equals("") || txtState.Text.Equals("") || txtZipcode.Text.Equals(""))
{
message += "However:<br>There was an error found in your entry fields, resulting in a failure to store field information. Make sure that all fields are filled and that the Experience field is a double value.";
}
else
{
**myDataLayer.updateStaff(Session["userid"].ToString(), txtName.Text, ddlDegree.SelectedValue, txtExperience.Text, txtSalary.Text, txtStreet.Text, txtCity.Text, txtState.Text, txtZipcode.Text);** - **Null Reference**
}
下面是它需要引用的数据层类:
string _ConString = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
SqlConnection con;
SqlDataAdapter sda = new SqlDataAdapter();
SqlCommand cmd = new SqlCommand();
SqlDataReader data;
// Handles updating staff info
public bool updateStaff(string userid, string full_name, string degree, string experience, string salary, string street, string city, string state, string zipcode)
{
try
{
con = new SqlConnection(_ConString);
con.Open();
cmd = new SqlCommand();
cmd.Connection = con;
cmd.CommandText = "UPDATE staff SET [full_name] = '" + full_name + "', [degree] = '" + degree + "', [experience] = '" + experience + "', [salary] = '" + salary + "', [street] = '" + street + "', [city] = '" + city + "', [state] = '" + state + "', [zipcode] = '" + zipcode + "' WHERE userid = '" + userid + "'";
cmd.ExecuteNonQuery();
con.Close();
return true;
}
catch (OleDbException e)
{
System.Diagnostics.Debug.WriteLine(e.ToString());
}
finally
{
con.Close();
}
return false;
}
答:
0赞
DRapp
7/28/2018
#1
您的验证很弱,并且永远不会在不参数化的情况下构建用于插入、更新、删除的 sql 命令。你很容易发生SQL-INJECTION。
首先,基本验证。通过使用 IsNullOrWhiteSpace,您可以防止 null 开始(因此您的错误),但也是 SQL 注入的开始。
if( string.IsNulllOrWhiteSpace( txtName.Text )
|| string.IsNullOrWhiteSpace( ddlDegree.SelectedValue )
… )
message back about failed values
现在是 SQL.用户参数。如果你有一个名字,奥康纳会怎样。第一个引号会扼杀字符串单引号平衡。
cmd.Connection = con;
cmd.CommandText =
@"UPDATE staff SET
full_name = @parmFullName,
degree = @parmDegree,
experience = @parmExperience,
salary = @parmSalary,
street = @parmStreet,
city = @parmCity,
state = @parmState,
zipcode = @parmZIP,
where
userid = @parmUserID";
// pulling the parameters from the parameters you pass to your UpdateStaff() call
cmd.Parameters.AddWithValue( "parmFullName", full_name );
cmd.Parameters.AddWithValue( "parmDegree", degree );
cmd.Parameters.AddWithValue( "parmExperience", experience );
cmd.Parameters.AddWithValue( "parmSalary", salary );
cmd.Parameters.AddWithValue( "parmStreet", street);
cmd.Parameters.AddWithValue( "parmCity", city );
cmd.Parameters.AddWithValue( "parmState", state );
cmd.Parameters.AddWithValue( "parmZIP", zipcode );
cmd.Parameters.AddWithValue( "parmUserID", userid );
所以,在大多数情况下,你应该很好。没有 Null 值,没有不匹配的单引号字符串。这不是验证的终极方法,不过,您绝对应该阅读更多关于SQL注入和数据清理的信息。
在我的示例中,我显式地在参数中添加了前缀“parm”,以区分您尝试使用的实际值。
此外,如果数据列是日期、整数、双精度、字符串,则让它们保持预期的类型。参数将正确传递。
评论
0赞
Richardissimo
7/29/2018
可能值得一看的是,我们可以停止使用 AddWithValue 吗?
评论
Session["userid"]ToStringSqlConnectionSqlCommandSqlDataReaderSqlDataAdapterIDisposableusing