OleDbException was unhandled by user code in c#

2019-09-12 04:29发布

问题:

Here is the cs file:

public int CheckExisting(String sqlDbQry, String sTable)
    {
        Qry = sqlDbQry;
        con = new OleDbConnection(connectionstr);
        if (con.State == ConnectionState.Open)
            con.Close();
        con.Open();
        cmd = new OleDbCommand(Qry, con);
        dr = cmd.ExecuteReader();
        while (dr.Read())
            rQry = Convert.ToInt32(dr[0].ToString());
        con.Close();
        return rQry;
    }

Here is my another cs:

protected void btnsub_Click(object sender, EventArgs e)
        {
            if (objAdmin.CheckExisting("SELECT COUNT(*) FROM registration where Email='" + Textemail.Text.Trim() + "'", "Temp") > 0)
            {
                lblmail.Text = "Your EmailId already Registered, Please Login!";
                return;
            }
            if (objAdmin.CheckExisting("SELECT COUNT(*) FROM registration where Phone_num='" + Textphone.Text.Trim() + "'", "Temp") > 0)
            {
                lblmail.Text = "Mobile number already exists, Please Login!";

                return;
            }
}

When i enter input details and hit submit, it shows error something like this,

Here is the error of Screenshot

Can anyone help me to fix this?

回答1:

You are manually building a sql string from a textbox labeled "email". Email addresses usually contain an "@". Because you are building a raw sql query you are putting the "@" directly in to the query. OleDb interprets that as a SQL parameter, and expects you to supply it, which you are not, which is what is causing the error. You will get a similar error if any of your text boxes contain a ' (single quote).

You should look in to using OleDbCommand and OleDbParameter to pass in your parameters instead of sending raw strings. This will also fix your sql injection attack vulnerability that others have mentioned.



回答2:

I can't edit your post so I'm doing it here.

public int CheckExisting(String sqlDbQry, String sTable)
{
    try
    {
        Qry = sqlDbQry;
        con = new OleDbConnection(connectionstr);
        if (con.State == ConnectionState.Open)
            con.Close();
        con.Open();
        cmd = new OleDbCommand(Qry, con);
        dr = cmd.ExecuteReader();
        while (dr.Read())
            rQry = Convert.ToInt32(dr[0].ToString());
        con.Close();
        return rQry;
    }
    catch (OleDbException ex)
    {
        string message = ex;
        //put your message on a texbox or alert handler error on the web
        //or while debugging use a breakpoint on the exception handler
        //use log
        Console.WriteLine(message);
    }
}


回答3:

Keep in mind that with OleDb, parameters are positional, not named. You can name your parameters, but you cannot use the @ syntax in your command (it throws an error about needing to declare a scalar variable) ... the correct syntax is to use the ? ... and it will take the parameters in the order in which you've added them.

Also, I prefer the .AddWithValue syntax, which is even more readable, I think.



回答4:

protected void btnsub_Click(object sender, EventArgs e)
    {
        if (objAdmin.CheckExisting("SELECT COUNT(*) FROM registration where Email='" + this.Textemail.Text.Trim() + "'", "Temp") > 0)
        {
            lblmail.Text = "Your EmailId already Registered, Please Login!";
            return;
        }
        if (objAdmin.CheckExisting("SELECT COUNT(*) FROM registration where Phone_num='" + this.Textphone.Text.Trim() + "'", "Temp") > 0)
        {
            lblmail.Text = "Mobile number already exists, Please Login!";

            return;
        }

}

Just put this.Textemail.Text and this.Textphone.Text , i hope so it will be helpful for you.