string sql = "update BookInfo set Bname = '" + Bname + "',ISBN='" + isbn + "',publisher='" + publisher + "',sl='" + sl + "',price='" + price + "' where id =" + Request.QueryString["id"];
这句sql语句有问题吗?
string sql = "update BookInfo set Bname = '" + Bname + "',ISBN='" + isbn + "',publisher='" + publisher + "',sl='" + sl + "',price='" + price + "' where id =" + Request.QueryString["id"];
这句sql语句有问题吗?
您提供的 SQL 语句存在一些潜在问题:
下面是一个示例,说明如何使用准备好的语句和参数化查询重写 SQL 语句来解决这些问题:
string sql = "update BookInfo set Bname = @Bname, ISBN = @ISBN, publisher = @publisher, sl = @sl, price = @price where id = @id";
using (SqlCommand cmd = new SqlCommand(sql, con))
{
cmd.Parameters.AddWithValue("@Bname", Bname);
cmd.Parameters.AddWithValue("@ISBN", isbn);
cmd.Parameters.AddWithValue("@publisher", publisher);
cmd.Parameters.AddWithValue("@sl", sl);
cmd.Parameters.AddWithValue("@price", price);
cmd.Parameters.AddWithValue("@id", Request.QueryString["id"]);
cmd.ExecuteNonQuery();
}
答题不易,求求您采纳哦