Question

当我开发注册页面时发生此错误

错误：System.Data.dll中发生了'System.Data.SqlClient.SqlException'类型的异常，但未在用户代码中处理

码

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;

public partial class Registration : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        if (IsPostBack)
        {
            SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["RegistrationConnectionString"].ConnectionString);
            conn.Open();
            String checkuser = "select count(*) from [UserData] where User Name='"+ TextBox1UN.Text +"'";
            SqlCommand comm = new SqlCommand(checkuser,conn);
             int temp = Convert.ToInt32(comm.ExecuteScalar().ToString());
            if(temp==1)
            {
                Response.Write("user allready exists");

            }

         conn.Close();

        }

    }

    protected void Button1_Click(object sender, EventArgs e)
    {
        try
            {
            SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["RegistrationConnectionString"].ConnectionString);
            conn.Open();
            String InserQuery = "insert into [UserData](UserName,Email,Password,Country)values(@Uname,@email,@pass,@country)";
            SqlCommand comm = new SqlCommand(InserQuery, conn);
            comm.Parameters.AddWithValue("@Uname", TextBox1UN.Text);
            comm.Parameters.AddWithValue("@email", TextBox2EI);
            comm.Parameters.AddWithValue("@pass", TextBox3PW);
            comm.Parameters.AddWithValue("@country", DropDownList1cont.SelectedItem.ToString());
            comm.ExecuteNonQuery();
            Response.Write("Registration is succesful");
            Response.Write("Administrator.aspx");

            conn.Close();
        }
        catch (SqlException ex)
        {
            Response.Write("Error:"+ex.ToString());
        }
    }

    protected void TextBox1_TextChanged(object sender, EventArgs e)
    {

    }
}

aspx文件：

<asp:SqlDataSource ID="SqlDataSourceRegistration" 
       runat="server" 
       ConnectionString="<%$ConnectionStrings:RegistrationConnectionString %>"
       OnSelecting="SqlDataSourceRegistration_Selecting" 
       SelectCommand="SELECT * FROM [UserData]" >
</asp:SqlDataSource>

Answer 1

Query无效，space与User Name之间的User是sql中的关键字。您的查询应如下所示

"select count(*) from [UserData] where UserName=@username";

使用参数化SQL

将parameters添加到command而不是concatenating值

comm.Parameters.AddWithValue("@username",TextBox1UN.Text);

Answer 2

提示：您的代码非常易于破解/不安全...因为您将用户输入放入sql字符串中，您应该使用参数。

您的字段名称中还有一个空格＆＃39;用户名＆＃39;我猜是你的问题所以我把它作为＆＃39; UserName＆＃39;。

您还应该将代码放入try catch语句中，以便阅读错误。

try
{
    SqlConnection connection = new SqlConnection(ConfigurationManager.ConnectionStrings["RegistrationConnectionString"].ConnectionString);

    using (SqlCommand command = new SqlCommand(
        "SELECT COUNT(*) from [UserData] where UserName= @Name", connection))
    {
        // Add new SqlParameter to the command.
        command.Parameters.Add("@Name", SqlDbType.NVarChar).Value = TextBox1UN.Text;

        int temp = Convert.ToInt32(command.ExecuteScalar().ToString());

        if(temp==1)
        {
            Response.Write("user allready exists");
        }
    }
}
catch (Exception ex)
{
    // Display the exception's data dictionary.
    foreach (DictionaryEntry pair in ex.Data)
    {
        Console.WriteLine("{0} = {1}", pair.Key, pair.Value);
    }
}

查询数据库

2 个答案: