asp.net连接问题
asp.net连接问题
提问于 2011-08-18 05:33:04
这是我的ASP.NET代码:
<html>
<body>
<%
Dim Conn
Conn = "Provider=xxxxxx; Server=xxxxxx; Database=xxxxxx; Trusted_Connection=xxx; "
sql="INSERT INTO xxxx"
sql=sql & " VALUES "
sql=sql & "('" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "')"
on error resume next
Conn.Execute sql,recaffected
if err<>0 then
Response.Write("Update Failed")
else
Response.Write("<h3>"Record Added</h3>")
end if
%>
</body>
</html>我总是得到“更新失败”的结果...你能从代码中看出这是为什么吗?
回答 2
Stack Overflow用户
发布于 2011-08-18 23:11:54
建议使用SQL主重构来消除您的注入漏洞。
Dim conn As New SqlConnection(SomeConnectionString)
Dim cmd As SqlCommand = conn.CreateCommand()
conn.Open()
cmd.CommandText="INSERT INTO MyTable(Column1, Column2) " & _
" VALUES (@Value1, @Value2)"
cmd.Parameters.AddWithValue("@Value1", Request.Form("xxxx"))
cmd.Parameters.AddWithValue("@Value2", Request.Form("xxxx"))
'add all your parameters as per above '
cmd.ExecuteNonQuery()Stack Overflow用户
发布于 2011-08-19 01:19:59
您需要取出命令文本并使用过程,否则会给自己带来安全漏洞。切勿将SQL命令放在UI或代码隐藏中。最佳实践是存储过程。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/7109263
复制相关文章
相似问题
腾讯云开发者
