使用ASP.NET& VB.NET我试图更新用户密码,它等于sessionID
数据库使用是SQL Local。
这是vb .net代码
Dim pass As String
pass = tboxConFirmPass.Text
Dim connce As SqlCeConnection = New SqlCeConnection(ConfigurationManager.ConnectionStrings("ConnectionString").ToString())
connce.Open() 'make the connection to DB
Dim sqlCommand As String = "UPDATE [tbCustomer] SET [Password] = ('" _
+ tboxConFirmPass.Text + "', '" + "WHERE [CustomerID] = @CustomerID" + "')"
Dim cmd As SqlCeCommand = New SqlCeCommand(sqlCommand, connce)
cmd.ExecuteNonQuery()
connce.Close()
MsgBox("Your Password has been chaged.")
End Sub
这是SqlDataSource
UpdateCommand="UPDATE [tbCustomer] SET [Password] = @Password WHERE [CustomerID] = @CustomerID">
错误=解析查询时出错。 [令牌行号= 1,令牌行偏移= 42,令牌错误=,]
答案 0 :(得分:0)
是的,您的查询需要更改:
Dim sqlCommand As String = "UPDATE [tbCustomer] SET [Password] = '" _
& Replace(tboxConFirmPass.Text, "'", "''") & "' WHERE [CustomerID] = @CustomerID"
我已将您的括号和引号不匹配排序,将字符串连接运算符更改为&并放弃了以减少SQL注入漏洞的可能性(如果有人在他们的密码中放入单引号,您的查询将不再fall,或更糟)。
要为@CustomerID设置值,您需要将SQL参数添加到命令对象。如果您没有给它一个值,那么您将收到评论中提到的错误。或者,您可以像使用密码一样连接值:
Dim sqlCommand As String = "UPDATE [tbCustomer] SET [Password] = '" _
& Replace(tboxConFirmPass.Text, "'", "''") & "' WHERE [CustomerID] = " & CustomerID
请注意,您需要使用一个初始化的变量,其中包含正在更改密码的客户的ID。