除了Page指令中要加上: ValidateRequest="false" 之外,
在Action的特性上也要加上[ValidateInput(false)]
2、文件上传控件必须让Form标签加上: enctype="multipart/form-data" 属性。
在后台可以通过:
HttpPostedFileBase file = this.HttpContext.Request.Files[0];
得到上传的文件对象。
更新操作的Action
[AcceptVerbs(HttpVerbs.Post)]
[ValidateInput(false)]
public ActionResult BookDetail(int id,string title,string author,
string Cover,string isbn,string publisher,string category,
string TOC,string aurhorDescription,string contentDescription) {
string sql = @"UPDATE Books SET Title=@Title,author=@author,
AurhorDescription = @authorDescription, contentDescription=@contentDescription,
PublisherId = @PublisherId, CategoryId = @CategoryId, TOC = @TOC
WHERE ID=@ID";
SqlConnection con = new SqlConnection("Data Source=.;Initial Catalog=MyBookShop;uid=sa");
SqlCommand com = new SqlCommand(sql, con);
com.Parameters.Add("@Title", SqlDbType.VarChar).Value = title;
com.Parameters.Add("@author", SqlDbType.VarChar).Value = author;
com.Parameters.Add("@authorDescription", SqlDbType.VarChar).Value = aurhorDescription;
com.Parameters.Add("@contentDescription", SqlDbType.VarChar).Value = contentDescription;
com.Parameters.Add("@PublisherId", SqlDbType.VarChar).Value = publisher;
com.Parameters.Add("@CategoryId", SqlDbType.VarChar).Value = category;
com.Parameters.Add("@TOC", SqlDbType.VarChar).Value = TOC;
com.Parameters.Add("@ID", SqlDbType.VarChar).Value = id;
con.Open();
com.ExecuteNonQuery();
con.Close();
HttpPostedFileBase file = this.HttpContext.Request.Files[0];
string path = Server.MapPath("~/Images/BookCovers/" + isbn + ".jpg");
file.SaveAs(path);
return this.RedirectToAction("BookList");
}
view中的代码:[ValidateInput(false)]
public ActionResult BookDetail(int id,string title,string author,
string Cover,string isbn,string publisher,string category,
string TOC,string aurhorDescription,string contentDescription) {
string sql = @"UPDATE Books SET Title=@Title,author=@author,
AurhorDescription = @authorDescription, contentDescription=@contentDescription,
PublisherId = @PublisherId, CategoryId = @CategoryId, TOC = @TOC
WHERE ID=@ID";
SqlConnection con = new SqlConnection("Data Source=.;Initial Catalog=MyBookShop;uid=sa");
SqlCommand com = new SqlCommand(sql, con);
com.Parameters.Add("@Title", SqlDbType.VarChar).Value = title;
com.Parameters.Add("@author", SqlDbType.VarChar).Value = author;
com.Parameters.Add("@authorDescription", SqlDbType.VarChar).Value = aurhorDescription;
com.Parameters.Add("@contentDescription", SqlDbType.VarChar).Value = contentDescription;
com.Parameters.Add("@PublisherId", SqlDbType.VarChar).Value = publisher;
com.Parameters.Add("@CategoryId", SqlDbType.VarChar).Value = category;
com.Parameters.Add("@TOC", SqlDbType.VarChar).Value = TOC;
com.Parameters.Add("@ID", SqlDbType.VarChar).Value = id;
con.Open();
com.ExecuteNonQuery();
con.Close();
HttpPostedFileBase file = this.HttpContext.Request.Files[0];
string path = Server.MapPath("~/Images/BookCovers/" + isbn + ".jpg");
file.SaveAs(path);
return this.RedirectToAction("BookList");
}
<form enctype="multipart/form-data" method="post">
<style>
#author
{
width:300px;
}
#title
{
width:300px;
}
#publisher
{
width:300px;
}
#category
{
width:300px;
}
#aurhorDescription
{
width :600px;
}
#contentDescription
{
width :600px;
}
</style>
<table style=" 100%;">
<tr>
<td style=" 102px">
书名
</td>
<td>
<%=Html.TextBox("title", book.Title)%>
</td>
</tr>
<tr>
<td style=" 102px">
作者
</td>
<td>
<%= Html.TextBox("author", book.Author)%>
</td>
</tr>
<tr>
<td style=" 102px">
封面
</td>
<td>
<img src='/Images/BookCovers/<%= book.ISBN %>.jpg' />
<input type="file" name = "Cover" />
</td>
</tr>
<tr>
<td style=" 102px">
ISBN
</td>
<td>
<%= Html.TextBox("isbn", book.ISBN)%>
</td>
</tr>
<tr>
<td style=" 102px">
出版社
</td>
<td>
<asp:DropDownList ID="publisher" runat="server" DataTextField="Name" DataValueField="ID">
</asp:DropDownList>
<%=Html.Hidden("publisher", book.PublisherId)%>
</td>
</tr>
<tr>
<td style=" 102px">
分类
</td>
<td>
<asp:DropDownList ID="category" runat="server" DataTextField="Name" DataValueField="ID">
</asp:DropDownList>
<%=Html.Hidden("category", book.CategoryId)%>
</td>
</tr>
<tr>
<td style=" 102px">
目录
</td>
<td>
<FTB:FreeTextBox ID="TOC" runat="server" >
</FTB:FreeTextBox>
<%=Html.Hidden("TOC")%>
</td>
</tr>
<tr>
<td style=" 102px">
作者简介
</td>
<td>
<%= Html.TextArea("aurhorDescription", book.AurhorDescription)%>
</td>
</tr>
<tr>
<td style=" 102px">
摘要
</td>
<td>
<%= Html.TextArea("contentDescription", book.ContentDescription)%>
</td>
</tr>
</table>
<input type="submit" value="提交" onclick="return getData()" />
<script language ="javascript">
function getData() {
document.getElementById("category").value = document.getElementById("ctl00_MainPlaceHolder_category").value;
document.getElementById("publisher").value = document.getElementById("ctl00_MainPlaceHolder_publisher").value;
document.getElementById("TOC").value = document.getElementById("ctl00_MainPlaceHolder_TOC").value;
return true;
}
</script>
</form>