我建立一个简单的网站使用.NET Web窗体和的.mdb 数据库作为数据源。
I'm building a simple site using .NET Web Forms and a .mdb database as the data source.
现在的问题是:我有一个工作backsite低谷,我可以创建,修改和删除一个新页
The problem is: I have a working backsite trough which I can create, modify and delete a new page.
虽然我可以创建和删除,编辑功能不起作用。
While I can create and delete, the editing feature doesn't work.
我意识到这个问题可能是因为code中的查询工作正常进行的其他功能。
I realized the problem might be in the query since the code is working fine for the other features.
下面是查询:
UPDATE pages
SET title="" + pa.title + "" content ="" + pa.content + ""
WHERE id=" + pa.id
我不是很喜欢SQL的,我做错了什么?
I'm not very fond of SQL, am I doing something wrong?
感谢你在前进
编辑N°2。目前,查询工作不正常,基本上,一些内容和标题中都有撇号,当我更新特定页面不会更新。我试图用Regex.Escape,但它创造了一个烂摊子加入吨。
Edit N°2. At the moment, the query is not working correctly, basically, some of the content and titles have apostrophes in them, and when i update that particular page it won't update. I tried using Regex.Escape but it creates a mess adding tons of .
推荐答案
嗯,你的更新查询缺少字段之间用逗号,但是这是一个大的冰山一角。
Well your update query lacks a comma between fields, but that's only the tip of a big iceberg
UPDATE pages SET title=" + pa.title + ", content =" + pa.content + " WHERE id=" + pa.id
查询这种写法暴露很大的安全问题。这就是所谓的 SQL注入
我将展示一个伪code,因为我没有你的实际code样品
I will show a pseudocode because I don't have a sample of your actual code
string queryText = "UPDATE pages SET title=@title, content=@content WHERE id=@id"
using(SqlConnection cn = new SqlConnection(connection_string))
using(SqlCommand cmd = new SqlCommand(queryText, cn)
{
cmd.Parameters.AddWithValue("@title", pa.title);
cmd.Parameters.AddWithValue("@content", pa.content);
cmd.Parameters.AddWithValue("@id", pa.id);
cmd.ExecuteNonQuery();
}
在这种工作方式,你避免出现SQL注入,解析你的价值观里面单引号和漏水,因为没有设置连接的系统资源。
Working in this way you avoid problems with Sql Injection, parsing of single quotes inside your values and leaking system resource because of connection not disposed.
请参阅 Parametrized查询 使用声明
See Parametrized Queries Using Statement
相关推荐
最新文章