如何参数化此Sql语句? [英] How Do I Parameterise This Sql Statement?
本文介绍了如何参数化此Sql语句?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有以下SQL语句来搜索表中的记录。我应该如何将其转换为参数化语句以防止SQL注入攻击?谢谢
i have the following SQL statement to search for records in a table. how should i convert it into a parameterised statement to prevent sql injection attacks? thanks
con.Open()
Dim da As New SqlDataAdapter("Select * from Students " & _
"where student_id like '%" & Me.srcTxt.Text.Trim & "%' " & _
"or " & _
"student_firstname like '%" & Me.srcTxt.Text.Trim & "%' " & _
"or " & _
"student_lastname like '%" & Me.srcTxt.Text.Trim & "%'", con)
da.Fill(ds)
con.Close()
For i As Integer = 0 To ds.Tables(0).Rows.Count - 1
Dim lvi As New ListViewItem
lvi.Text = ds.Tables(0).Rows(i)(0).ToString()
For j As Integer = 1 To ds.Tables(0).Rows(i).ItemArray.Length - 1
lvi.SubItems.Add(ds.Tables(0).Rows(i)(j).ToString())
Next
lvw.Items.Add(lvi)
Next
推荐答案
阅读: MSDN [ ^ ]
public sub Page_Load()
Me.DoFunction(Me.srcTxt.Text);//call the parametarized method
end sub
public sub DoFunction(ByVal text as String)
con.Open()
Dim da As New SqlDataAdapter("Select * from Students " & _
"where student_id like '%" & text & "%' " & _
"or " & _
"student_firstname like '%" & text & "%' " & _
"or " & _
"student_lastname like '%" & text & "%'", con)
da.Fill(ds)
con.Close()
end sub
这篇关于如何参数化此Sql语句?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文