1. 首頁
  2. 問答
  3. asp.net剃刀

asp.net剃刀

2012-02-28 279 views
0

有與(VAR query4)怎麼個APS desn't告訴我任何味精任何問題,但它不能將數據插入到表concerneasp.net剃刀

@{ 
    var userId = Request["UserId"]; 
    var Type = Request["type"]; 
    var db = Database.Open("intranet"); 
    if(Type == "delete") 
    { 

    var query = "UPDATE Personne SET Demande = 'refuser' WHERE UserId = '" + userId + "'"; 
    db.Execute(query); 

    var query2 = "DELETE from DemandeConge where UserId = '" + userId + "'"; 
    db.Execute(query2); 
    } 
    else if(Type == "accepte") 
    { 


     var query = "UPDATE Personne SET Demande = 'accepte' WHERE UserId = '" + userId + "'"; 
     db.Execute(query); 

     var query2 = "DELETE from DemandeConge where UserId = '" + userId + "'"; 
     db.Execute(query2); 


     var query4 = "INSERT INTO CongeAccept(UserId,DateDebut,DateFin,TypeConge) SELECT UserId,DateDebutDemande,DateFinDemande,TypeConge FROM DemandeConge WHERE UserId = '" + userId + "'"; 
     db.Execute(query4); 
    } 
}

和whene我做出評論這個代碼它的工作原理,以及:

/* var query = "UPDATE Personne SET Demande = 'accepte' WHERE UserId = '" + userId + "'"; 
    db.Execute(query); 

    var query2 = "DELETE from DemandeConge where UserId = '" + userId + "'"; 
    db.Execute(query2);*/ 


    var query4 = "INSERT INTO CongeAccept(UserId,DateDebut,DateFin,TypeConge) SELECT UserId,DateDebutDemande,DateFinDemande,TypeConge FROM DemandeConge WHERE UserId = '" + userId + "'"; 
    db.Execute(query4); 
}

來源

2012-02-28 user1233875

+0

**警告**您的代碼容易受到sql注入攻擊。 – 2012-02-28 00:50:21

+0

是的,我知道它只是一個練習考試^^ – user1233875 2012-02-28 00:55:50

回答

0

您正在刪除從DemandeConge涉及到要插入CongeAccept所以當嘗試插入查詢用戶的一切,有沒有東西插。更改您的語句和使用參數的順序:

@{ 
    var userId = Request["UserId"]; 
    var Type = Request["type"]; 
    var db = Database.Open("intranet"); 
    if(Type == "delete") 
    { 

    var query = "UPDATE Personne SET Demande = 'refuser' WHERE UserId = @0"; 
    db.Execute(query, userId); 

    var query2 = "DELETE from DemandeConge where UserId = @0"; 
    db.Execute(query2, userId); 
    } 
    else if(Type == "accepte") 
    { 
     var query = "UPDATE Personne SET Demande = 'accepte' WHERE UserId = @0"; 
     db.Execute(query, userId); 

     var query4 = "INSERT INTO CongeAccept(UserId,DateDebut,DateFin,TypeConge) SELECT UserId,DateDebutDemande,DateFinDemande,TypeConge FROM DemandeConge WHERE UserId = @0"; 
     db.Execute(query4, userId); 

     var query2 = "DELETE from DemandeConge where UserId = @0"; 
     db.Execute(query2, userId); 
    } 
}

來源

2012-02-28 07:13:03

相關問題

 相關問題