使用 C#/HTML 向 SQL 数据库提交反馈答案

【问题标题】：Submit Feedback to SQL Database with C#/HTML使用 C#/HTML 向 SQL 数据库提交反馈
【发布时间】：2015-09-18 00:08:05
【问题描述】：

我正在尝试在按下按钮时运行 C# 函数，该按钮获得评分 (1-7) 并将其与文本输入一起放入数据库。反馈部分：

<asp:PlaceHolder ID="AnswersPlaceholder" runat="server" Visible="false">

<asp:Literal ID="AnswerLiteral" runat="server"></asp:Literal>
<br />
<br />
<div class="FeedbackTitle">How accurate do you find this result?</div>

<center><p><input class="FeedbackChoice" type="checkbox" value="1"  name="feedback"  id="F1">Way off!</p></center>
<center><p><input class="FeedbackChoice" type="checkbox" runat="server" value="2"  name="feedback"  id="F2">Mostly inaccurate</p></center>
<center><p><input class="FeedbackChoice" type="checkbox" runat="server" value="3"  name="feedback"  id="F3">Somewhat accurate</p></center>
<center><p><input type="text" style="width:40%; border: solid,thick; border-color:blue" name="Note" runat="server" class="FeedbackNote" /></p></center>
<button class="ContinueButton" runat="server" onclick="SubmitFeedback_click">Continue</button>

及其调用的函数：

protected void SubmitFeedback_Click(object sender, EventArgs e)
{
    string FeedbackNoteString = "";
    string FeedbackButtonString =  "";
    int UseUserID = 0;
    int Feedback = 0;
    try
    {

        UserInfo _currentUser = UserController.Instance.GetCurrentUserInfo();
        UseUserID = _currentUser.UserID;
    }
    catch (OleDbException ex)
    {
        Console.WriteLine("Error: {0}", ex.Errors[0].Message);
    }

    finally
    {


    OleDbConnection bConnection = new OleDbConnection("Driver={SQL Server};Provider=SQLOLEDB........(credentials hidden)");
    OleDbCommand DoesFeedbackExistCommand = new OleDbCommand("SELECT * FROM ss_QuizFeedback WHERE UserId = " + UseUserID.ToString(), bConnection);
    OleDbDataReader DoesFeedbackExistReader = DoesFeedbackExistCommand.ExecuteReader(); SqlConnection SSSqlConnection = new SqlConnection(ConfigurationManager.ConnectionStrings["SiteSqlServer"].ConnectionString);
    SqlCommand FeedbackNoteCommand = SSSqlConnection.CreateCommand();
    SqlCommand FeedbackButtonCommand = SSSqlConnection.CreateCommand();

    bConnection.Open();

    while (DoesFeedbackExistReader.Read())
    {
        Feedback++;         
    }

    if (Feedback == 0)
    {
            FeedbackNoteString = "INSERT INTO ss_SoulGoalsQuizFeedback (UserId,SoulGoalsNote) VALUES ("
            + UseUserID.ToString() + ","
            + Request.Form["Note"] + ")";

            FeedbackButtonString = "INSERT INTO ss_SoulGoalsFeedback (UserId,Rating) VALUES ("
            + UseUserID.ToString() + ","
            + Request.Form["feedback"].ToString() + ")";
    }

    else if (Feedback != 0)
    {
        FeedbackNoteString = "UPDATE ss_SoulGoalsQuizFeedback (UserId,SoulGoalsNote) VALUES ("
        + UseUserID.ToString() + ","
        + Request.Form["Note"] + ")";
    }   

    FeedbackNoteCommand.CommandText = FeedbackNoteString;
    FeedbackNoteCommand.ExecuteNonQuery();

    FeedbackButtonCommand.CommandText = FeedbackButtonString;
    FeedbackButtonCommand.ExecuteNonQuery();

    SSSqlConnection.Close();
    bConnection.Close();
}    
}

当按钮被按下时，页面刷新但不将它们放入数据库。

【问题讨论】：

尝试输出您的INSERT 语句以查看您正在调用的内容并在您的数据库上运行它。您的UPDATE 查询也不正确。
不相关的评论..但避免SQLInjections。
这是有史以来最奇怪的代码。你怎么能在后面的网站代码中使用Console.WriteLine？为什么在你的finally 块中发生了这么多事情（应该只包含清理代码）？代码结构可能掩盖了导致失败的异常。

标签： c# html sql asp.net sql-server

【解决方案1】：

您的程序可能正在生成无效的 SQL。例如

FeedbackNoteString = "INSERT INTO ss_SoulGoalsQuizFeedback (UserId,SoulGoalsNote) VALUES ("
+ UseUserID.ToString() + ","
+ Request.Form["Note"] + ")";

应该是

FeedbackNoteString = "INSERT INTO ss_SoulGoalsQuizFeedback (UserId,SoulGoalsNote) VALUES ('"
+ UseUserID.ToString() + "','"
+ Request.Form["Note"] + "')";

甚至更好

FeedbackNoteString = String.Format("INSERT INTO ss_SoulGoalsQuizFeedback (UserId,SoulGoalsNote) VALUES ('{0}','{1}'), UseUserID.ToString(), Request.Form["Note"]);

（请注意，我在您与 SQL 连接的两个字符串周围添加了单引号。）

顺便说一句，您的代码很容易受到 SQL 注入的攻击。您可能需要考虑使用存储过程来执行这些数据库操作。

【讨论】：