这些是我在SAVE按钮上的代码:
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
Dim dbCon As MySqlConnection
Dim conStr As String
conStr = "server=127.0.0.1;uid=root;pwd=;database=ps20150385"
Try
Catch ex As Exception
End Try
dbCon = New MySqlConnection(conStr)
dbCon.Open()
' Add record to database
Dim productName, productCat, unitPrice As String
productName = Trim(TextBox1.Text)
productCat = Trim(ComboBox1.Text)
unitPrice = Trim(TextBox3.Text)
Dim Sql As String = "INSERT INTO products (ProductName,ProductCat,UnitPrice) VALUES('" & TextBox1.Text & "' , '" & ComboBox1.Text & "' , '" & TextBox3.Text & "')"
If TextBox1.Text = "" Or ComboBox1.Text = "" Or TextBox3.Text = "" Then
MsgBox("Please! insert record")
Else
MsgBox("Record inserted successfully.")
End If
Try
DbCommand = New MySqlCommand(Sql, dbconn)
dbread = DbCommand.ExecuteReader()
Me.Close()
Catch ex As Exception
MsgBox("Error in saving to Database. error is :" & ex.Message)
TextBox1.Text = ""
ComboBox1.Text = ""
TextBox3.Text = ""
Exit Sub
End Try
dbread.Close()
TextBox1.Text = ""
ComboBox1.Text = ""
TextBox3.Text = ""
End Sub
答案 0 :(得分:1)
弹出的第一件事是您在.ExecuteReader() cmd上使用INSERT。 INSERT应该以{{1}}
弹出的第二件事是你只是要求sql注入攻击(有目的或偶然)。您应该使用参数,而不是在查询中包含.ExecuteNonQuery()。而不是直接字符串。如果不这样做,一个简单的特殊字符将会破坏您的查询。