c# - 可以选择但不能插入数据库 mysql C# ASP.NET

Question

我连接到我的数据库，我可以毫无问题地检索数据，但我无法插入。警报也没有显示，所以我确定查询没有被执行，它只是重定向到 aspx 页面。我尝试了许多不同的解决方案，但我认为问题不在我正在寻找的地方。这是代码，希望有人能提供帮助。

代码隐藏:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.IO;
using System.Data.SqlClient;
using System.Configuration;
using System.Data;
using System.Threading;
using System.Threading.Tasks;

namespace Childrens.Admin
{
public partial class WebForm1 : System.Web.UI.Page
{
    protected void btnViewStaff_ServerClick(object sender, EventArgs e)
    {
        divAddStaff.Visible = false;
        staffGridView.Visible = true;
    }

    protected void btnAddNewStaff_ServerClick(object sender, EventArgs e)
    {
        staffGridView.Visible = false;
        divAddStaff.Visible = true;
    }

    protected void btnSubmitStaff_ServerClick(object sender, EventArgs e)
    {
        if (txtPassword == txtCPassword)
        {
            using (SqlConnection addStaffConn = new SqlConnection(ConfigurationManager.ConnectionStrings["myConn"].ToString()))
            {
                try
                {
                    addStaffConn.Open();

                    string query = "INSERT INTO [Staff] (staff_fname,staff_sname,staff_email,staff_pass) VALUES ('" + txtFName + "','" + txtSName + "','" + txtEmail + "','" + txtPassword+"')"; //(@fname,@sname,@email,@pass)";
                    SqlDataAdapter staffAdapter = new SqlDataAdapter();
                    SqlCommand addStaffCommand = new SqlCommand(query, addStaffConn);

                    /*addStaffCommand.Parameters.AddWithValue("@fname", txtFName);
                    addStaffCommand.Parameters.AddWithValue("@sname", txtSName);
                    addStaffCommand.Parameters.AddWithValue("@email", txtEmail);
                    addStaffCommand.Parameters.AddWithValue("@pass", txtPassword);*/
                    staffAdapter.InsertCommand = addStaffCommand;
                    staffAdapter.InsertCommand.ExecuteNonQuery();


                    addStaffConn.Close();
                    Response.Write(String.Format("<script>alert('The entry was successful!');window.location='{0}';</script>", "URL=staff.aspx"));

                }
                catch (Exception ex)
                {
                    Response.Write(String.Format("<script>alert('The entry was successful!');window.location='{0}';</script>", "URL=staff.aspx"));
                }
                finally
                {
                    if (addStaffConn.State == System.Data.ConnectionState.Open)
                    {
                        addStaffConn.Close();
                    }
                    addStaffConn.Dispose();
                }
            }
        }
    }
}
}

web.config 文件:

<?xml version="1.0" encoding="utf-8"?>

<!--
For more information on how to configure your ASP.NET application, please 
visit
https://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<appSettings>
    <add key="ValidationSettings:UnobtrusiveValidationMode" value="None" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.6.1"/>
<httpRuntime targetFramework="4.6.1"/>
</system.web>
<system.codedom>
<compilers>
  <compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.8.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
    warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701"/>
  <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb"
    type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, 
   Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.8.0, 
Culture=neutral, PublicKeyToken=31bf3856ad364e35"
    warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 
/define:_MYTYPE=\&quot;Web\&quot; /optionInfer+"/>
</compilers>
</system.codedom>
<connectionStrings>
<add name="myConn" connectionString="server=localhost;user 
id=root;persistsecurityinfo=True;database=childrens" />
<add name="childrensConnectionString" 
connectionString="server=localhost;user id=root;password=password;persistsecurityinfo=True;database=childrens;allowuservariables=True"
    providerName="MySql.Data.MySqlClient" />
 </connectionStrings>

 </configuration>

Answer 1

你应该使用 MySQL 的 .Net Connector ，而不是用于 MS SQL Server 的库。此外，数据适配器往往更多地用于数据表和类似的东西；根据您的需要，只需执行“命令”对象就足够了。

每个人都提到的安全漏洞是您的查询(充其量)打破了第二个“fname”、“sname”等...包含一个或多个撇号；您应该研究参数化查询以避免此类问题。

编辑:此外，[ 和 ] 是 Microsoft 数据库(MS SQL Server 和 MS Access)的字段分隔符； `(在 ~ 键上)由 MySQL 使用。

编辑#2:漏洞示例:

INSERT INTO [Staff] (staff_fname,staff_sname,staff_email,staff_pass) VALUES ('"+ txtFName + "','"+ txtSName + "','"+ txtEmail + "','"+ txtPassword+ "')"

用户输入他们的名字 O','','','then'), ('they', 'can', 'add', 'multiple'), (' users','or','possibly','worse'), ('without','even','causing','an'), ('error