我正在坚持这样做,所以让我解释一下:
我想插入这个查询,它会一直被文本框(它们的值等等)改变。它得到@SET)
SET
@entry= 19000,
@displayid= '2727',
@name= 'World Of Wacraft Item',
@description= 'This is just a testing Item',
@allowableclass= '2',
@allowablerace= '2',
@delay= 1000,
@RequiredLevel= 85,
@ItemLevel= 255,
@maxcount= 1,
@dmg_type1= 0,
@dmg_type2= 0,
@Armor= 2540,
@itemset= 232,
@Quality= 5,
@Flags = 0,
@dmg_min1= 0,
@dmg_min2= 0,
@dmg_max1= 0,
@dmg_max2= 0,
@class= 4,
@subclass = 4,
@socketBonus= 3312,
@socketColor_1= 4,
@socketColor_2= 1,
@socketColor_3= 8,
@fire_res= 52,
@holy_res= 33,
@nature_res= 25,
@shadow_res= 52,
@frost_res= 24,
@arcane_res= 65,
@StatsCount= 10,
@InventoryType= 1,
@stat_type1= 6,
@stat_type2= 7,
@stat_type3= 4,
@stat_type4= 13,
@stat_type5= 47,
@stat_type6= 31,
@stat_type7= 0,
@stat_type8= 0,
@stat_type9= 0,
@stat_type10= 0,
@stat_value1= 8567,
@stat_value2= 687658,
@stat_value3= 4756,
@stat_value4= 868,
@stat_value5= 6365,
@stat_value6= 4841,
@stat_value7= 0,
@stat_value8= 0,
@stat_value9= 0,
@stat_value10= 0;
INSERT INTO item_template (entry, displayid, Name, description, allowableclass, allowablerace, delay, requiredlevel, itemlevel, maxcount, dmg_type1, dmg_type2, armor, itemset, quality, flags, dmg_min1, dmg_min2, dmg_max1, dmg_max2, class, subclass, socketbonus, socketcolor_1, socketcolor_2, socketcolor_3, fire_res, holy_res, nature_res, shadow_res, frost_res, arcane_res, statscount, inventorytype, stat_type1, stat_type2, stat_type3, stat_type4, stat_type5, stat_type6, stat_type7, stat_type8, stat_type9, stat_type10, stat_value1, stat_value2, stat_value3, stat_value4, stat_value5, stat_value6, stat_value7, stat_value8, stat_value9, stat_value10)
VALUES
(@entry, @displayid,
@name, @description,
@allowableclass, @allowablerace,
@delay, @RequiredLevel, @ItemLevel,
@maxcount, @dmg_type1, @dmg_type2,
@armor, @itemset, @quality, @flags,
@dmg_min1, @dmg_min2, @dmg_max1, @dmg_max2,
@class, @subclass, @socketbonus,
@socketColor_1, @socketColor_2, @socketColor_3,
@fire_res, @holy_res, @nature_res, @shadow_res,
@frost_res, @arcane_res,
@StatsCount, @InventoryType, @stat_type1,
@stat_type2, @stat_type3, @stat_type4,
@stat_type5, @stat_type6, @stat_type7,
@stat_type8, @stat_type9, @stat_type10,
@stat_value1, @stat_value2, @stat_value3,
@stat_value4, @stat_value5, @stat_value6,
@stat_value7, @stat_value8,
@stat_value9, @stat_value10);
此结果将出现在名为= outputsql.text
的文本框中所以这是VB.NET代码
Dim MysqlConn As MySqlConnection
Dim COMMAND As MySqlCommand
MysqlConn = New MySqlConnection
MysqlConn.ConnectionString = "server =" + TextBox1.Text + ";userid=" + TextBox3.Text + ";password=" + TextBox4.Text + ";database=" + TextBox5.Text + ";port=" + TextBox2.Text
Dim reader As MySqlDataReader
Try
MysqlConn.Open()
Dim query As String
query = Outputsql.text
COMMAND = New MySqlCommand(query, MysqlConn)
reader = COMMAND.ExecuteReader
MysqlConn.Close()
Catch ex As MySqlException
MessageBox.Show(ex.message)
Finally
MysqlConn.Dispose()
End Try
答案 0 :(得分:0)
首先,我建议使用SQLConnectionString Builder来避免恶意注入攻击。
Dim sb As New MySqlConnectionStringBuilder
sb.Server = TextBox1.Text
sb.UserID = TextBox3.Text
sb.Password = TextBox4.Text
sb.Database = TextBox5.Text
sb.Port = TextBox2.Text
Using cn As New MySqlConnection(sb.ConnectionString)
接下来,跳过所有Set部分,然后以Insert作为命令文本开始。
Dim query As String = "Insert Into item_template (entry, displayid,.....VALUES (@entry, @displayid,@name, @description,.....@stat_value10);"
Using cmd As New MySqlCommand(query, cn)
然后为您的命令的每个字段添加参数。这也可以防止恶意注入。
cmd.Parameters.Add("@entry", MySqlDbType.Int32).Value = 19000 'or CInt(TextBox?.Text) or a variable
cmd.Parameters.Add("@display", MySqlDbType.VarChar).Value = "2727" 'or TextBox?.Text or a variable
cmd.Parameters.Add("@name", MySqlDbType.VarChar).Value = "World of Wacraft Item" 'or TextBox?.Text or a variable
Reader用于检索数据而不是插入命令。使用.ExecuteNonQuery进行插入,更新和删除。这将返回受影响的行。
cn.Open()
Dim ReturnValue As Integer = cmd.ExecuteNonQuery
cn.Close()
End Using
End Using
使用语句可确保正确处理连接和命令对象,并且即使出现错误也会返回资源。