为什么这个查询无法编译?

时间:2012-12-30 05:31:34

标签: asp.net vb.net

这段代码有什么问题? 

Dim mycon As OleDbConnection
    Dim cmd As OleDbCommand
    Dim sqlstring, game, ram, vga, scr, download, gametype, size As String
    game = TextBox1.Text
    download = TextBox2.Text
    scr = TextBox3.Text
    vga = TextBox4.Text
    ram = TextBox5.Text
    size = TextBox6.Text
    gametype = DropDownList1.SelectedValue.ToString
    mycon = New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" & Server.MapPath("../games.mdb"))
    mycon.Open()
    sqlstring = "INSERT INTO [Games] ( Name , url , image , Vga , Ram , Size , Type ) VALUES ('" + game + "' , '" + download + "' , '" + scr + "' , '" + vga + "' , '" + ram + "' , '" + size + "' , '" + gametype + "')"
    cmd = New OleDbCommand(sqlstring, mycon)
    cmd.ExecuteNonQuery()
    mycon.Close()

当我运行它时,我得到:

error in 
Line 21:         cmd.ExecuteNonQuery()

游戏架构 ID |名称|网址|图片| VGA |拉姆|大小|类型

堆栈追踪:

[OleDbException (0x80040e14): Syntax error in INSERT INTO statement.]
   System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr) +1090740
   System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult) +247
   System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult) +189
   System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult) +58
   System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method) +162
   System.Data.OleDb.OleDbCommand.ExecuteNonQuery() +107
   admin_editgames.Button1_Click(Object sender, EventArgs e) in E:\New folder (4)\WebSite1\admin\editgames.aspx.vb:23
   System.Web.UI.WebControls.Button.OnClick(EventArgs e) +9553594
   System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +103
   System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
   System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13
   System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +35
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1724

1 个答案:

答案 0 :(得分:0)

您的任何TextBox输入的输入值是否都有撇号(“'”)?如果是这样,你需要用另一个撇号来逃避它们:

game = Replace(TextBox1.Text, "'", "''")
' repeated for all variables

当您阅读有关SQL注入攻击的信息时,这种代码就是它们的发生方式。

相关问题
最新问题