更新一个MDB数据库表 [英] Updating an mdb database table
问题描述
我建立一个简单的网站使用.NET Web窗体和的.mdb
数据库作为数据源。
I'm building a simple site using .NET Web Forms and a .mdb
database as the data source.
现在的问题是:我有一个工作backsite低谷,我可以创建,修改和删除一个新页
The problem is: I have a working backsite trough which I can create, modify and delete a new page.
虽然我可以创建和删除,编辑功能不起作用。
While I can create and delete, the editing feature doesn't work.
我意识到这个问题可能是因为code中的查询工作正常进行的其他功能。
I realized the problem might be in the query since the code is working fine for the other features.
下面是查询:
UPDATE pages
SET title=\"" + pa.title + "\" content =\"" + pa.content + "\"
WHERE id=" + pa.id
我不是很喜欢SQL的,我做错了什么?
I'm not very fond of SQL, am I doing something wrong?
感谢你在前进
编辑N°2。目前,查询工作不正常,基本上,一些内容和标题中都有撇号,当我更新特定页面不会更新。我试图用Regex.Escape,但它创造了一个烂摊子加入吨\。
Edit N°2. At the moment, the query is not working correctly, basically, some of the content and titles have apostrophes in them, and when i update that particular page it won't update. I tried using Regex.Escape but it creates a mess adding tons of \.
推荐答案
嗯,你的更新查询缺少字段之间用逗号,但是这是一个大的冰山一角。
Well your update query lacks a comma between fields, but that's only the tip of a big iceberg
UPDATE pages SET title=" + pa.title + ", content =" + pa.content + " WHERE id=" + pa.id
查询这种写法暴露很大的安全问题。这就是所谓的 SQL注入
我将展示一个伪code,因为我没有你的实际code样品
I will show a pseudocode because I don't have a sample of your actual code
string queryText = "UPDATE pages SET title=@title, content=@content WHERE id=@id"
using(SqlConnection cn = new SqlConnection(connection_string))
using(SqlCommand cmd = new SqlCommand(queryText, cn)
{
cmd.Parameters.AddWithValue("@title", pa.title);
cmd.Parameters.AddWithValue("@content", pa.content);
cmd.Parameters.AddWithValue("@id", pa.id);
cmd.ExecuteNonQuery();
}
在这种工作方式,你避免出现SQL注入,解析你的价值观里面单引号和漏水,因为没有设置连接的系统资源。
Working in this way you avoid problems with Sql Injection, parsing of single quotes inside your values and leaking system resource because of connection not disposed.
请参阅
<一href="http://stackoverflow.com/questions/5468425/how-do-parameterized-queries-help-against-sql-injection">Parametrized查询
使用声明
See
Parametrized Queries
Using Statement
这篇关于更新一个MDB数据库表的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!