从Access到SQL Server [英] From Access To SQL Server
本文介绍了从Access到SQL Server的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
你好我怎么能改变这个
Hi how can I change this
str = "UPDATE tblClientes SET Nombre = @NOM WHERE NumId=@NI"
Dim comando As OleDbCommand = New OleDbCommand(str, miConeccion)
commando.Parameters.AddWithValue("@NOM", txtNombre.Text)
commando.Parameters.AddWithValue("@NI" txtNumID.Text)
但要与sql server一起使用
谢谢
but to use it with sql server
thanks
推荐答案
首先,永远不会永远......将SQL查询写入类似的字符串中。
如果有人决定写一些附加到字符串的代码,那么你正在打开SQL注入攻击 - 如果你不知道这意味着什么,请阅读它。
我知道在这种情况下你使用的是参数但如果有人在代码中变得懒惰,这将无法保护你。
使用存储过程和参数如下:
Firstly, never ever, ever, ever... write a SQL query into a string like that.
You are opening yourself up for a SQL Injection Attack if someone decides to write some code that appends to the string - read up on it if you don''t know what this means.
I know in this case you are using parameters but this will not protect you if someone gets lazy in the code.
Use stored procedures and parameters as below:
Private ConnectionObj As New SqlConnection
ConnectionObj.ConnectionString = "Data Source=ServerName;Initial Catalog=DatabaseName;Integrated Security=True"
ConnectionObj.Open()
Dim SQLAdaptorObj As New SqlDataAdapter
Dim SqlCommandObj = New SqlCommand("a_stored_procedure", ConnectionObj)
SqlCommandObj.Parameters.Add("@year", SqlDbType.Int).Value = year
SqlCommandObj.Parameters.Add("@age", SqlDbType.Int).Value = age
SqlCommandObj.CommandType = CommandType.StoredProcedure
Dim DataTableObj As New DataTable
SQLAdaptorObj.SelectCommand = SqlCommandObj
SQLAdaptorObj.Fill(DataTableObj)
SQLAdaptorObj.Dispose()
SqlCommandObj.Dispose()
ConnectionObj.Close()
这篇关于从Access到SQL Server的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文