cmd.Connection = con;
con.Open();
cmd.CommandText = "Update tiit.Enquiry Set Status='" + DropDownList4.SelectedValue + "', NextFollowup='" + TextBox8.Text + "', Remarks='" + TextBox9.Text + "', Name='" + TextBox1.Text + "', Email='" + TextBox2.Text + "', Phone='" + TextBox3.Text + "','','','','', City='" + TextBox4.Text + "', Country='" + TextBox5.Text + "', Course='" + TextBox6.Text + "', Comments='" + TextBox7.Text + "', Cost='" +TextBox14.Text+ "' where SN='" + HiddenField1.Value + "'";
int i = cmd.ExecuteNonQuery();
con.Close();
答案 0 :(得分:3)
不,不要这样做。在构建SQL查询时,从不使用字符串连接(+运算符)。使用参数化查询:
cmd.Connection = con;
con.Open();
cmd.CommandText = "UPDATE tiit.Enquiry Set Status=@Status, NextFollowup=@NextFollowup, ...";
cmd.Parameters.AddWithValue("@Status", DropDownList4.SelectedValue);
cmd.Parameters.AddWithValue("@NextFollowup", TextBox8.Text);
...
这样您的代码就不会受到SQL注入攻击,并且您不会遇到任何编码问题。
答案 1 :(得分:3)
很可能这个:
"Update tiit.Enquiry Set Status='"
我完全同意 - 使用参数化查询。