如何为richtextbox编写SQL更新语句？ [英] How do I write an SQL update statement for a richtextbox?

问题描述

Hello all. Am new to VB.Net and seeking some assistance. With some help from the internet, I managed to save a richtext document to SQL server and then access for viewing. 

How do I write an update statement to save it back to SQL? 

Thanks in advance.

我的尝试：

What I have tried:

Dim cmd As New SqlCommand("Select richtext from tablename", con)

       Try
           rtbdoc.SaveFile("Test.rtf")
           Dim Stream = New FileStream("Test.rtf", FileMode.Append, FileAccess.ReadWrite)
           Dim size As Integer = Convert.ToInt32(Stream.Length)
               Dim rtf As [Byte]() = New [Byte](size - 1) {}
               Stream.Read(rtf, 0, size)

               Dim paramRTF As New SqlParameter("@rtf", SqlDbType.VarBinary, rtf.Length, ParameterDirection.Input, False, 0, 0, Nothing, DataRowVersion.Current, rtf)

          cmd.CommandText = "Update table SET firstname = '" & txtfirstname.Text & "', lastname = '" & txtlastname.Text & "' richtext = @rtf where id = @id"

           If con.State = ConnectionState.Open Then con.Close()
           con.Open()

           cmd.Parameters.Add("@id", SqlDbType.Int).Value = txtid.Text
           cmd.Parameters.Add(paramRTF)
           'cmd.ExecuteNonQuery(
           cmd.ExecuteNonQuery()

           MessageBox.Show("File Updated Successfully")
           clear()
       Catch ex As Exception
           MsgBox("Error updating record!", MsgBoxStyle.Critical)
           clear()
       Finally
           If Stream.Null IsNot Nothing Then
               Stream.Null.Close()
           End If
       End Try

推荐答案

我不明白，您构建的SQL查询受注入，但您知道如何使用参数保护它们：

I don't understand, you build SQL queries subject to injection, but you know how to secure them with parameters:

cmd.CommandText = "Update table SET firstname = '" & txtfirstname.Text & "', lastname = '" & txtlastname.Text & "' richtext = @rtf where id = @id"

永远不要通过连接字符串来构建SQL查询。迟早，您将使用用户输入来执行此操作，这会打开一个名为SQL注入的漏洞，这对您的数据库很容易并且容易出错。

名称中的单引号你的程序崩溃。如果用户输入像Brian O'Conner这样的名称可能会使您的应用程序崩溃，那么这是一个SQL注入漏洞，崩溃是最少的问题，恶意用户输入，并且它被提升为具有所有凭据的SQL命令。

SQL注入 - 维基百科 [ ^ ]

SQL注入 [ ^ ]

按示例进行SQL注入攻击 [ ^ ]

PHP：SQL注入 - 手册 [ ^ ]

SQL注入预防备忘单 - OWASP [ ^ ]

我该怎么办？解释没有技术术语的SQL注入？ - 信息安全堆栈交换 [ ^ ]

Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange[^]

这篇关于如何为richtextbox编写SQL更新语句？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！