UC知道更新SQL记录是遇到的问题
来源:百度知道 编辑:UC知道 时间:2024/05/24 13:11:37
Protected Sub dg1_UpdateCommand(ByVal source As Object, ByVal e As System.Web.UI.WebControls.DataGridCommandEventArgs) Handles dg1.UpdateCommand
Dim cnn As New SqlConnection("Data Source=localhost;Initial Catalog=cdshop;Integrated Security=True")
Dim strSql As String
Dim pID, pName, pLei, pInfo, pPrice, pSale As TextBox
pID = e.Item.Cells(0).Controls(0)
pName = e.Item.Cells(1).Controls(0)
pLei = e.Item.Cells(2).Controls(0)
pInfo = e.Item.Cells(3).Controls(0)
pPrice = e.Item.Cells(4).Controls(0)
pSale = e.Item.Cells(5).Controls(0)
strSql = "Update Products Set ProductID='" & pID.Text & "',ProductName='" & pName.Text & "',CategoryID=" & CInt(pLei.Text) & ",Description='" & pInfo.Text & "',UnitPrice='" & pPrice.Text & "',OnSale='" & pSale.Text & "'
Dim cnn As New SqlConnection("Data Source=localhost;Initial Catalog=cdshop;Integrated Security=True")
Dim strSql As String
Dim pID, pName, pLei, pInfo, pPrice, pSale As TextBox
pID = e.Item.Cells(0).Controls(0)
pName = e.Item.Cells(1).Controls(0)
pLei = e.Item.Cells(2).Controls(0)
pInfo = e.Item.Cells(3).Controls(0)
pPrice = e.Item.Cells(4).Controls(0)
pSale = e.Item.Cells(5).Controls(0)
strSql = "Update Products Set ProductID='" & pID.Text & "',ProductName='" & pName.Text & "',CategoryID=" & CInt(pLei.Text) & ",Description='" & pInfo.Text & "',UnitPrice='" & pPrice.Text & "',OnSale='" & pSale.Text & "'
使用commad对象的parameters集合来传递参数
否则的话用户输入单引号等是会产生错误,事实上sql注入攻击就是利用这些原理进行的。所以执行sql语句是所有的用户输入信息都要存入parameters中而不是直接构造语句字符串
同上,使用参数来传递字符串。
或者把'Replace为''e.g.
pName.Text.Replace("'", "''");