从Access到SQL Server [英] From Access To SQL Server

问题描述

你好我怎么能改变这个

Hi how can I change this

str = "UPDATE tblClientes SET Nombre = @NOM WHERE NumId=@NI"
Dim comando As OleDbCommand = New OleDbCommand(str, miConeccion)
commando.Parameters.AddWithValue("@NOM", txtNombre.Text)
commando.Parameters.AddWithValue("@NI" txtNumID.Text)

但要与sql server一起使用





谢谢

but to use it with sql server


thanks

推荐答案

首先，永远不会永远......将SQL查询写入类似的字符串中。

如果有人决定写一些附加到字符串的代码，那么你正在打开SQL注入攻击 - 如果你不知道这意味着什么，请阅读它。

我知道在这种情况下你使用的是参数但如果有人在代码中变得懒惰，这将无法保护你。



使用存储过程和参数如下：

Firstly, never ever, ever, ever... write a SQL query into a string like that.
You are opening yourself up for a SQL Injection Attack if someone decides to write some code that appends to the string - read up on it if you don''t know what this means.
I know in this case you are using parameters but this will not protect you if someone gets lazy in the code.

Use stored procedures and parameters as below:

Private ConnectionObj As New SqlConnection
ConnectionObj.ConnectionString = "Data Source=ServerName;Initial Catalog=DatabaseName;Integrated Security=True"
ConnectionObj.Open()


Dim SQLAdaptorObj As New SqlDataAdapter
Dim SqlCommandObj = New SqlCommand("a_stored_procedure", ConnectionObj)

SqlCommandObj.Parameters.Add("@year", SqlDbType.Int).Value = year
SqlCommandObj.Parameters.Add("@age", SqlDbType.Int).Value = age

SqlCommandObj.CommandType = CommandType.StoredProcedure
Dim DataTableObj As New DataTable


SQLAdaptorObj.SelectCommand = SqlCommandObj
SQLAdaptorObj.Fill(DataTableObj)


SQLAdaptorObj.Dispose()
SqlCommandObj.Dispose()


ConnectionObj.Close()

这篇关于从Access到SQL Server的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！