我执行以下操作来从Access DB运行查询。
Dim search As String = txtUnitCode.Text
Dim sText As String = String.Empty
Dim aClients As String = My.Settings.ClientDB
Dim sConnString As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data source=" & aClients & ""
Using cn As New OleDb.OleDbConnection(sConnString)
cn.Open()
If txtUnitCode.Text = "" Then Exit Sub
Dim cmd As New OleDb.OleDbCommand("SELECT Name FROM Units WHERE (Code = " & search & ") ", cn)
Dim r As OleDb.OleDbDataReader = cmd.ExecuteReader()
If Not r.HasRows Then Exit Sub
Do While r.Read()
sText = sText & r.GetString(0)
Loop
End Using
txtUnitName.Text = sText
当我在VS中运行代码分析时,它表示此行中的漏洞
Dim cmd As New OleDb.OleDbCommand("SELECT Name FROM Units WHERE (Code = " & search & ") ", cn)
基本上我认为它建议代码的search部分理想情况下应该是Parameter。我已使用OleDbDataAdapter使用其他代码处理这些代码,但无法通过OleDbConnection
任何指针
由于
答案 0 :(得分:1)
连接没有参数。您可以使用OleDbConnectionStringBuilder类来构建连接字符串。
但是对于Command对象,是的,总是使用参数来避免SQL注入:
Dim cmd As New OleDb.OleDbCommand("SELECT Name FROM Units WHERE Code = @code", cn)
cmd.Parameters.AddWithValue("@code", search)
请注意,OleDb库实际上并没有使用@code名称签名,它会按索引顺序填写参数,因此您可以用一个问号(?)替换@code。