如何更新数据更方便? [英] How do update data more convient?
问题描述
我需要根据我窗体上输入的文本框更新我的数据。
但我觉得以下sql requery是很长很麻烦。
有更方便的方式来做更新吗?
感谢您的帮助。
Jason
以下是我的一些代码:
public void UpdateData(string strUpdateQry)
{
mConn = new SqlConnection(gstrConn); //新连接需要先在这里
mConn.Open();
mComm = new SqlCommand(strUpdateQry,mConn);
mTrans = mConn.BeginTransaction();
mComm.Transaction = mTrans;
尝试
{
mComm.ExecuteReader();
mTrans.Commit();
}
catch(SqlException e)
{
mTrans.Rollback();
}
mConCon.Close();
} // UpdateData
string strUpdate =" INSERT INTO Contact(CustNo,Serial,Contact," ;;
str更新+ =" ContactDept,ContactTitle,ContactPhone," ;;
strUpdate + =" ContactPhoneExt,ContactCellPhone,ContactFax," ;;
strUpdate + ="电子邮件)VALUES(" ;;
strUpdate + ="''" + m_iCustNo +"''," ;;
strUpdate + ="''" + txtSerial.Text +"''," ;;
strUpdate + ="''" + txtContact.Text +"''," ;;
strUpdate + ="''" + txtContactDept.Text +"''," ;;
strUpdate + ="''" + txtContactTitle.Text +"''," ;;
strUpdate + ="''" + txtContactPhone.Text +"''," ;;
strUpdate + ="''" + txtContactPhoneExt.Text +"''," ;;
strUpdate + ="''" + txtContactCellPhone.Text +"''," ;;
strUpdate + ="''" + txtContactFax.Text +"''," ;;
strUpdate + ="''" + txtEmail.Text +"'')" ;;
this.UpdateData(strUpdate);
< blockquote>不是真的。你可以使用SQL参数,并使用DataAdapter,但是你最终会在最后编写基本相同的UPDATE语句。
至少,你应该使用StringBuilder,或者使用
String.Format而不是所有这些连接。
但是,我应该指出你的方式''写了你的SQL,
你已经为自己的经典SQL注入攻击敞开了大门。什么
如果用户在txtContactDept文本框中键入此内容:
''); DROP TABLE联系方式 -
?你将它插入你的UPDATE和Boom中间!没有
更多联系人表。事实上,用户可以直接在你的联系表格中对你的
数据库做任何事情。
你需要自己写一点方法:
公共静态字符串EscapeSQLText(字符串文本)
{
StringBuilder sb = new StringBuilder();
foreach(char c in text)
{
if(c ==''\''''){sb.Append(''\' '''); }
sb.Append(c);
}
返回sb.ToString();
}
然后将这些直接插入更改为以下内容:
strUpdate + ="''" + EscapeSQLText(txtContactDept.Text)+"''," ;;
这将为输入中的每个单引号插入两个单引号
string从你的表单中渲染SQL注入攻击是不可能的。
或者,如果你使用SqlParameters而不是直接文本
字符串SQL命令,你会也无法使SQL注入攻击。
至少,如果你决定动态做SQL,你需要加倍
单
报价。搜索SQL注入攻击。
问候,
Jeff
***通过Developersdex http://www.developersdex.com ***
谢谢Bruce!
它有帮助!
" Bruce Wood" < br ******* @ canada.com>
???????:11 ****************** ****@g47g2000cwa.googl egroups.com ...不是真的。您可以使用SQL参数,并使用DataAdapter,但最终您最终会编写基本相同的UPDATE语句。
至少,您应该使用StringBuilder,或者
String.Format而不是所有这些连接。
但是,我应该指出你编写SQL的方式,
你已经离开了自己打开经典的SQL注入攻击。什么
如果用户在txtContactDept文本框中输入:
''); DROP TABLE联系方式 -
?你将它插入你的UPDATE和Boom中间!没有
更多联系人表。事实上,用户可以直接从您的联系表单中为您的数据库做任何事情。
您需要自己写一点方法:
公开static string EscapeSQLText(string text)
{String / StringBuilder sb = new StringBuilder();
foreach(文本中的char c)
{
if(c ==' '\''''){sb.Append(''\''''); }
sb.Append(c);
}
返回sb.ToString();
}
然后将这些直接插入更改为这样的内容:
strUpdate + ="''" + EscapeSQLText(txtContactDept.Text)+"''," ;;
这将为输入
字符串中的每个单引号插入两个单引号,并呈现来自您的SQL注入攻击另外,如果您使用SqlParameters而不是直接文本字符串SQL命令,那么您也无法呈现SQL注入攻击。
Hi,
I need to update my data based on the textboxes input on my windows form.
But I feel the following sql requery is to long and cumbersome.
Is there some more convient way to do the Update thing?
Thanks for help.
Jason
Here are some of my codes:
public void UpdateData(string strUpdateQry)
{
mConn=new SqlConnection(gstrConn);//new connection need to be here first
mConn.Open();
mComm=new SqlCommand(strUpdateQry,mConn);
mTrans = mConn.BeginTransaction();
mComm.Transaction=mTrans;
try
{
mComm.ExecuteReader();
mTrans.Commit();
}
catch(SqlException e)
{
mTrans.Rollback();
}
mConn.Close();
}//UpdateData
string strUpdate="INSERT INTO Contact (CustNo,Serial,Contact,";
strUpdate += "ContactDept, ContactTitle, ContactPhone,";
strUpdate += "ContactPhoneExt, ContactCellPhone, ContactFax,";
strUpdate += "Email) VALUES (";
strUpdate += "''" +m_iCustNo+ "'', ";
strUpdate += "''" +txtSerial.Text+ "'', ";
strUpdate += "''" +txtContact.Text+ "'', ";
strUpdate += "''" +txtContactDept.Text+ "'', ";
strUpdate += "''" +txtContactTitle.Text+ "'', ";
strUpdate += "''" +txtContactPhone.Text+ "'', ";
strUpdate += "''" +txtContactPhoneExt.Text+ "'', ";
strUpdate += "''" +txtContactCellPhone.Text+ "'', ";
strUpdate += "''" +txtContactFax.Text+ "'', ";
strUpdate += "''" +txtEmail.Text+ "'') ";
this.UpdateData(strUpdate);
Not really. You could use SQL parameters, and use a DataAdapter, but
you end up writing basically the same UPDATE statement in the end.
At least, though, you should use a StringBuilder, or maybe
String.Format instead of all of those concatenates.
However, I should point out that the way you''ve written your SQL,
you''ve left yourself wide open for a classic SQL injection attack. What
if a user types this into the txtContactDept text box:
'' ); DROP TABLE Contact --
? You''ll insert it right into the middle of your UPDATE and Boom! No
more contacts table. In fact, a user can do anything at all to your
database, right from your Contacts form.
You need to write yourself a little method:
public static string EscapeSQLText(string text)
{
StringBuilder sb = new StringBuilder();
foreach (char c in text)
{
if (c == ''\'''') { sb.Append(''\''''); }
sb.Append(c);
}
return sb.ToString();
}
Then change those direct insertions into something like this:
strUpdate += "''" + EscapeSQLText(txtContactDept.Text) + "'', ";
This will insert two single quotes for each single quote in an input
string, and render SQL injection attacks from your form impossible.
Alternatively, if you use SqlParameters instead of a straight text
string SQL command, you''ll also render SQL injection attacks impossible.
At a minimum, if you decide to do SQL on the fly, you need to double
single
quotes. Search on SQL Injection attacks.
Regards,
Jeff
*** Sent via Developersdex http://www.developersdex.com ***
Thanks Bruce!
It helps!
"Bruce Wood" <br*******@canada.com>
???????:11**********************@g47g2000cwa.googl egroups.com...Not really. You could use SQL parameters, and use a DataAdapter, but
you end up writing basically the same UPDATE statement in the end.
At least, though, you should use a StringBuilder, or maybe
String.Format instead of all of those concatenates.
However, I should point out that the way you''ve written your SQL,
you''ve left yourself wide open for a classic SQL injection attack. What
if a user types this into the txtContactDept text box:
'' ); DROP TABLE Contact --
? You''ll insert it right into the middle of your UPDATE and Boom! No
more contacts table. In fact, a user can do anything at all to your
database, right from your Contacts form.
You need to write yourself a little method:
public static string EscapeSQLText(string text)
{
StringBuilder sb = new StringBuilder();
foreach (char c in text)
{
if (c == ''\'''') { sb.Append(''\''''); }
sb.Append(c);
}
return sb.ToString();
}
Then change those direct insertions into something like this:
strUpdate += "''" + EscapeSQLText(txtContactDept.Text) + "'', ";
This will insert two single quotes for each single quote in an input
string, and render SQL injection attacks from your form impossible.
Alternatively, if you use SqlParameters instead of a straight text
string SQL command, you''ll also render SQL injection attacks impossible.
这篇关于如何更新数据更方便?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
