这是我的ASP.NET代码:
<html>
<body>
<%
Dim Conn
Conn = "Provider=xxxxxx; Server=xxxxxx; Database=xxxxxx; Trusted_Connection=xxx; "
sql="INSERT INTO xxxx"
sql=sql & " VALUES "
sql=sql & "('" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "')"
on error resume next
Conn.Execute sql,recaffected
if err<>0 then
Response.Write("Update Failed")
else
Response.Write("<h3>"Record Added</h3>")
end if
%>
</body>
</html>
我总是得到“更新失败”的结果......你能从代码中看到为什么会这样吗?
答案 0 :(得分:1)
建议主要重构以消除您的SQL注入漏洞。
Dim conn As New SqlConnection(SomeConnectionString)
Dim cmd As SqlCommand = conn.CreateCommand()
conn.Open()
cmd.CommandText="INSERT INTO MyTable(Column1, Column2) " & _
" VALUES (@Value1, @Value2)"
cmd.Parameters.AddWithValue("@Value1", Request.Form("xxxx"))
cmd.Parameters.AddWithValue("@Value2", Request.Form("xxxx"))
'add all your parameters as per above '
cmd.ExecuteNonQuery()
答案 1 :(得分:0)
您需要取出命令文本并使用程序,否则您会打开自己的安全漏洞。切勿将您的SQL命令放在UI上或代码隐藏。最佳实践是存储过程。