oledbException出现未处理的错误

时间:2013-01-10 17:04:29

标签: c# sql

我正在尝试使用以下代码填充带有姓氏和姓氏的文本框:

using (OleDbConnection connName = new OleDbConnection(strCon))
            {

                String sqlName = "SELECT forename, Surname FROM customer WHERE [customerID]=" + txtCustomerID.Text;

                // Create a command to use to call the database.
                OleDbCommand commandname = new OleDbCommand(sqlName, connName);
                 connName.Open();
                // Create a reader containing the results


                using (OleDbDataReader readerName = commandname.ExecuteReader())
                {
                    readerName.Read(); // Advance to the first row.
                    txtName.Text = readerName[0].ToString();
                }
                connName.Close();                 

             }

但是我收到错误:OleDbException未得到处理。

  

“没有必要参数之一的必需值”

ExecuteReader,我不知道如何解决这个问题。

编辑:下面的代码几乎与查询中的信息完全相同,但是这个例外不会出现。

  string strCon = Properties.Settings.Default.PID2dbConnectionString;

        using (OleDbConnection conn = new OleDbConnection(strCon))
        {
            String sqlPoints = "SELECT points FROM customer WHERE [customerID]=" + txtCustomerID.Text;
            conn.Open();

            // Create a command to use to call the database.
            OleDbCommand command = new OleDbCommand(sqlPoints, conn);
            // Create a reader containing the results

            using (OleDbDataReader reader = command.ExecuteReader())
            {
                reader.Read(); // Advance to the first row.
                txtPoints.Text = reader[0].ToString(); // Read the contents of the first column
            }
            conn.Close();
        }

2 个答案:

答案 0 :(得分:1)

通常的原因是null或空字符串,即txtCustomerID.Text没有值,因此发送到服务器的查询是:

SELECT forename, Surname FROM customer WHERE [customerID]=

您可以避免这样的错误和SQL Injection,使用强类型参数并避免使用参数化查询进行数据截断(我假设客户ID是一个i​​nt字段)

    using (OleDbConnection connName = new OleDbConnection(strCon))
    {
        String sqlName = "SELECT forename, Surname FROM customer WHERE customerID = @CustomerID";

        // Create a command to use to call the database.
        using (OleDbCommand commandname = new OleDbCommand(sqlName, connName))
        {

            //Check the input is valid
            int customerID = 0;
            if (!int.TryParse(txtCustomerID.Text, out customerID))
            {
                txtName.Text = "Customer ID Text box is not an integer";
                return;
            }


            connName.Open();

            // Add the parameter to the command
            commandname.Parameters.Add("@CustomerID", OleDbType.Integer).Value = customerID;

            // Create a reader containing the results
            using (OleDbDataReader readerName = commandname.ExecuteReader())
            {
                readerName.Read(); // Advance to the first row.
                txtName.Text = readerName[0].ToString();
            }
            connName.Close();                 
        }
    }

答案 1 :(得分:0)

您必须对字符串查询中使用的参数进行编码。

  String sqlName = String.Format("SELECT forname, Surname FROM customer WHERE customerID={0}",txtCustomerID.Text);

但我建议你不要在字符串中使用硬编码的SQL查询。它易于SQL注入攻击。你应该使用参数。

相关问题
最新问题