声明的结尾缺失 [英] End of statement is missing
本文介绍了声明的结尾缺失的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
updateCommand = UPDATE dbo.CUSTOMER_TEST(CUST_ID,CUST_NAME,BILLING_TYPE,ADDRESS ,CITY,COUNTRY)值('& Cust_ID& ','& Cust_Name& ','& Billing_Type& ','& Address& ','& City& ','& Country& ') 其中 [CUST_ID] = ' & CUST_ID&'
解决方案
谷歌的Sql Injection攻击,找出你为什么做的那么糟糕。
然后Google为VB.NET SQL参数了解如何修复注入攻击以及如何使代码更具可读性和可调试性。
正如Dave所说,修复SQL注入漏洞将解决您的问题,并且这是您在整个代码中急需查看的内容。如果你不这样做,任何可以输入你的系统的人都可以删除你的数据库...
所以使用参数化查询:
< pre lang =vb> updateCommand = UPDATE dbo.CUSTOMER_TEST(CUST_NAME,BILLING_TYPE,ADDRESS,CITY,COUNTRY)值(@CNM,@ BT,@ ADD,@ CTY,@ CNT)WHERE CUST_ID = @ CID
...
myCommandInstance.Parameters.AddWithValue( @ CID,Cust_ID)
myCommandInstance.Parameters.AddWithValue( @CNM,Cust_Name)
...
你为什么这么做?无论如何都要将ID值更新为自身?
首先修复 SQL注入 [ ^ ] vul代码中的可靠性,正如其他答案所暗示的那样。
当你在它时,修复你与SQL的连接,以便它使用一个只有SQL的用户您的应用程序所需的权限。如果你连接为sa,它可以让黑客完全控制你的服务器。
在相关的说明中,我希望这不是你真正的sa密码你刚刚发布到公共论坛!如果是,你需要立即更改 - 这一次,选择更安全的东西!
最后,修复语法您的更新声明:
UPDATE(Transact-SQL) [ ^ ]
受保护的 Sub btnUPDATE_Click(发件人作为 对象,e 作为 System.EventArgs)句柄 btnUPDATE.Click
Dim Cust_id 作为 整数 = ??? ' TODO:从某个地方获取客户ID
Dim Cust_Name As String = itxtCustName.Text
Dim Address As String = itxtAddress.Text
< span class =code-keyword> Dim City As String = itxtCity.Text
Dim 国家作为 字符串 = itxtCountry.Text
Dim Billing_Type As 字符串
如果 rb_BillingType.SelectedIndex = 0 然后
Billing_Type = C
ElseIf rb_BillingType.SelectedIndex = 1 然后
Billing_Type = D
其他
Billing_Type = B
结束 如果
' TODO:作为SQL用户连接,仅具有应用程序所需的权限。
' 以sa连接将使黑客完全控制您的服务器。
使用 con < span class = code-keyword> As 新 SqlConnection( 数据源= ICPU0089 \ SQL2012;初始目录= AdventureWorks2008;用户ID = sa;密码= sa @ 123)
使用 cmd 作为 新 SqlCommand( UPDATE dbo.CUSTOMER_TEST SET CUST_NAME = @Cust_Name,BILLING_TYPE = @Billing_Type,ADDRESS = @ Address,CITY = @City,Country = @Country WHERE CUST_ID = @Cust_id,con)
cmd.Parameters.AddWithValue( @ Cust_id,Cust_id)
cmd .Parameters.AddWithValue( @ Cust_Name,Cust_Name)
cmd.Parameters.AddWithValue( @ Billing _Type,Billing_Type)
cmd.Parameters.AddWithValue( @ Address,地址)
cmd.Parameters.AddWithValue( @ City,City)
cmd.Parameters.AddWithValue( @ Country,Country)
con.Open()
cmd.ExecuteNonQuery()
结束 使用
结束 使用
结束 Sub
updateCommand = "UPDATE dbo.CUSTOMER_TEST (CUST_ID,CUST_NAME,BILLING_TYPE,ADDRESS,CITY,COUNTRY) values ('" & Cust_ID & "','" & Cust_Name & "','" & Billing_Type & "','" & Address & "','" & City & "','" & Country & "')" Where [CUST_ID] = '" & CUST_ID & "'" 解决方案
Google for "Sql Injection attack" to find out why what you're doing is so bad.
Then Google for "VB.NET SQL Parameters" to find out how to fix the injection attack and who you make your code much more readable and debuggable.
As Dave says, fixing the SQL Injection vulnerability will solve your problem, and it's something you urgently need to look at doing throughout your code. If you don't, anyone who can type into your system can delete your database...
So use parameterised queries:
updateCommand = "UPDATE dbo.CUSTOMER_TEST (CUST_NAME, BILLING_TYPE, ADDRESS, CITY, COUNTRY) values (@CNM, @BT, @ADD, @CTY, @CNT) WHERE CUST_ID=@CID" ... myCommandInstance.Parameters.AddWithValue("@CID", Cust_ID) myCommandInstance.Parameters.AddWithValue("@CNM",Cust_Name) ...
And just why are you updating the ID value to itself anyway?
Start by fixing the SQL Injection[^] vulnerability in your code, as the other answers have suggested.
While you're at it, fix your connection to SQL so that it uses a SQL user which only has the permissions required for your application. If you connect as "sa", it can give a hacker complete control of your server.
On a related note, I hope that's not your real "sa" password that you've just posted to a public forum! If it is, you need to change it immediately - and this time, choose something a bit more secure!
Finally, fix the syntax of yourUPDATEstatement:
UPDATE (Transact-SQL)[^]
Protected Sub btnUPDATE_Click(sender As Object, e As System.EventArgs) Handles btnUPDATE.Click Dim Cust_id As Integer = ??? ' TODO: Get the customer ID from somewhere Dim Cust_Name As String = itxtCustName.Text Dim Address As String = itxtAddress.Text Dim City As String = itxtCity.Text Dim Country As String = itxtCountry.Text Dim Billing_Type As String If rb_BillingType.SelectedIndex = 0 Then Billing_Type = "C" ElseIf rb_BillingType.SelectedIndex = 1 Then Billing_Type = "D" Else Billing_Type = "B" End If ' TODO: Connect as a SQL user with only the required permissions for your application. ' Connecting as "sa" will give a hacker complete control of your server. Using con As New SqlConnection("Data Source=ICPU0089\SQL2012;Initial Catalog=AdventureWorks2008;User ID=sa;Password=sa@123") Using cmd As New SqlCommand("UPDATE dbo.CUSTOMER_TEST SET CUST_NAME = @Cust_Name, BILLING_TYPE = @Billing_Type, ADDRESS = @Address, CITY = @City, Country = @Country WHERE CUST_ID = @Cust_id", con) cmd.Parameters.AddWithValue("@Cust_id", Cust_id) cmd.Parameters.AddWithValue("@Cust_Name", Cust_Name) cmd.Parameters.AddWithValue("@Billing_Type", Billing_Type) cmd.Parameters.AddWithValue("@Address", Address) cmd.Parameters.AddWithValue("@City", City) cmd.Parameters.AddWithValue("@Country", Country) con.Open() cmd.ExecuteNonQuery() End Using End Using End Sub
这篇关于声明的结尾缺失的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
