protected void Page_Load(object sender, EventArgs e)
{ if (!IsPostBack)
{
if (Session["adminName"] == null)
{
//Page.RegisterStartupScript("kk", "<script>alert('请先登录')</script>");
Response.Write("请先<a href='login2.aspx'>登录</a>");
Response.End();
}
if (Request.QueryString["id"] == null)
{
Page.RegisterStartupScript("k1", "<script>alert('缺少参数!');</script>");
Response.End();
}
//查询新闻
string cnnstr = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
SqlConnection connection = new SqlConnection(cnnstr);
string selectcmd = "select * from orders where [orderId]=" + Request.QueryString["id"];
SqlDataAdapter da = new SqlDataAdapter(selectcmd, connection);
DataSet ds = new DataSet();
da.Fill(ds);
if (ds.Tables[0].Rows.Count > 0)
{
Label8.Text = ds.Tables[0].Rows[0].ItemArray[0].ToString();
TextBox2.Text = ds.Tables[0].Rows[0].ItemArray[1].ToString();
TextBox5.Text = ds.Tables[0].Rows[0].ItemArray[2].ToString();
TextBox6.Text = ds.Tables[0].Rows[0].ItemArray[3].ToString();
TextBox7.Text = ds.Tables[0].Rows[0].ItemArray[4].ToString();
string sqlcmd = "select * from orderDetails where [orderId]=@orderId";
SqlDataAdapter dc = new SqlDataAdapter(sqlcmd, connection);
dc.SelectCommand.Parameters.AddWithValue("@orderId", ds.Tables[0].Rows[0].ItemArray[0].ToString());
DataSet dd = new DataSet();
dc.Fill(dd);
if (dd.Tables[0].Rows.Count > 0)
{
TextBox3.Text = dd.Tables[0].Rows[0].ItemArray[1].ToString();
TextBox4.Text = dd.Tables[0].Rows[0].ItemArray[2].ToString();
}
} }
这是传入参数的一段代码,u120120528174740这个是orderId列中的一个内容,不知道为什么一直报错,列名 'u120120528174740' 无效。
{ if (!IsPostBack)
{
if (Session["adminName"] == null)
{
//Page.RegisterStartupScript("kk", "<script>alert('请先登录')</script>");
Response.Write("请先<a href='login2.aspx'>登录</a>");
Response.End();
}
if (Request.QueryString["id"] == null)
{
Page.RegisterStartupScript("k1", "<script>alert('缺少参数!');</script>");
Response.End();
}
//查询新闻
string cnnstr = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
SqlConnection connection = new SqlConnection(cnnstr);
string selectcmd = "select * from orders where [orderId]=" + Request.QueryString["id"];
SqlDataAdapter da = new SqlDataAdapter(selectcmd, connection);
DataSet ds = new DataSet();
da.Fill(ds);
if (ds.Tables[0].Rows.Count > 0)
{
Label8.Text = ds.Tables[0].Rows[0].ItemArray[0].ToString();
TextBox2.Text = ds.Tables[0].Rows[0].ItemArray[1].ToString();
TextBox5.Text = ds.Tables[0].Rows[0].ItemArray[2].ToString();
TextBox6.Text = ds.Tables[0].Rows[0].ItemArray[3].ToString();
TextBox7.Text = ds.Tables[0].Rows[0].ItemArray[4].ToString();
string sqlcmd = "select * from orderDetails where [orderId]=@orderId";
SqlDataAdapter dc = new SqlDataAdapter(sqlcmd, connection);
dc.SelectCommand.Parameters.AddWithValue("@orderId", ds.Tables[0].Rows[0].ItemArray[0].ToString());
DataSet dd = new DataSet();
dc.Fill(dd);
if (dd.Tables[0].Rows.Count > 0)
{
TextBox3.Text = dd.Tables[0].Rows[0].ItemArray[1].ToString();
TextBox4.Text = dd.Tables[0].Rows[0].ItemArray[2].ToString();
}
} }
这是传入参数的一段代码,u120120528174740这个是orderId列中的一个内容,不知道为什么一直报错,列名 'u120120528174740' 无效。
上面那句话orderId你去到的是u120120528174740,而你数据库中根本没有字段名为 u120120528174740的字段,这应该是个值,而你当做字段名了
那么得到的sql就是select * from orders where [orderId]=123 and 不存在的列=1,显然就会出错,而且更严重的,有可能会造成安全问题。