在字符串')'后打开引号

时间:2015-01-22 15:42:51

标签: sql asp.net vb.net

我尝试将数据插入到我的表中,但问题是给我一个错误 返回Cmd.ExecuteReader:

  

在字符串')'

之后打开引号

这里是My文件MyModule.VB中的代码。     公共模块MyModule1 

Public ServerName As String = "MIRA"
Public dataBaseName As String = "BaseDB"




Public Cn As New SqlConnection("server=" & ServerName & "; initial catalog=" & dataBaseName & " ; integrated security= true")
Public Cmd As New SqlCommand
Public Dr As SqlDataReader


Public Sub OpenCn()
    If Cn.State <> ConnectionState.Open Then
        Cn.Open()

    End If
End Sub


Public Sub CloseCn()
    If Cn.State = ConnectionState.Open Then
        Cn.Close()

    End If
End Sub
'Type r = select w insert updaate delete
Public Function ExecSQL(ByVal sql As String, Optional ByVal type As String = "r")
    OpenCn()
    Cmd.CommandType = CommandType.Text
    Cmd.CommandText = sql
    Cmd.Connection = Cn
    If type = "r" Then
        Return Cmd.ExecuteReader

    Else
        Return Cmd.ExecuteNonQuery

    End If
    CloseCn()

End Function
Public Function AddDB(ByVal natureD As String, ByVal codeP As String, ByVal exigence As String, ByVal nomE As String, ByVal Dt As String, ByVal equipe As String, ByVal Dat1 As String, ByVal Suivi As String)
 Return ExecSQL("insert into DossierB values('" & natureD & "', '" & codeP & "', '" & exigence & "', '" & nomE & "', '" & Dt & "', '" & equipe & "', '" & Dat1 & "', '" & Suivi & "' )")

End Function
End Sub

这里是AjoutDB.aspx.vb的代码 

Public Class AjoutDB
Inherits System.Web.UI.Page

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load

End Sub

Protected Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click

    Dim natureD = Request.Form("DropDownList1")


    Dim codeP = Request.Form("TextBox2")
    Dim exigence = Request.Form("TextBox5")
    Dim nomE = Request.Form("TextBox4")
     Dim dt = Request.Form("TextBox8")
    Dim equipe = Request.Form("TextBox6")
    Dim Dat1 = Request.Form("TextBox9")
    Dim Suivi = Request.Form("TextBox7")
    AddDB(natureD, codeP, exigence, nomE, dt, equipe, Dat1, Suivi)
    MsgBox("données inserees")
End Sub

结束课程 感谢很多

1 个答案:

答案 0 :(得分:0)

您需要参数化查询。这并不能直接回答您的问题,但在您对查询进行参数化之前,您可能会看到的错误无法结束。

实际上,攻击者很容易操纵您的数据库。事实上,整个机器的安全性可能会受到威胁。

以下是参数化的基本说明和示例:https://stackoverflow.com/a/7505842/1415038

相关问题
最新问题