UPDATE statement.visual basic 2008中的语法错误 [英] Syntax error in UPDATE statement.visual basic 2008
问题描述
connect.Open()
Dim cmd As OleDb.OleDbCommand = New OleDb.OleDbCommand("SELECT * FROM tbluser", connect)
sql = "UPDATE tbluser SET Username='" & txtusername.Text & "', Password ='" & txtpassword.Text & "' where IDnumber ='" & txtidnumber.Text & "'"
cmd = New OleDb.OleDbCommand(sql, connect)
cmd.ExecuteNonQuery()
connect.Close()
MsgBox("Updated")
推荐答案
哦亲爱的......:感叹:
我从哪里开始?
使用SQL注入?基于文字的密码?冗余代码?过时的功能?或者暗示这是基于网络的,你正在使用消息框?
他们都是问题......他们不包括你找到的问题!
不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。
切勿以明文形式存储密码 - 这是一个主要的安全风险。有关如何在此处执行此操作的信息:密码存储:如何做到这一点。 [ ^ ](它在C#中,但是代码是相同的。你也应该在这里看到: Commitstrip [ ^ ]这可能有助于解释现实世界如何考虑这种行为。< br $>
为什么这样做:
Oh dear... :sigh:
Where do I start?
With the SQL Injection? The text based passwords? The redundant code? The outdated functions? Or the implication that this is Web based and you are using message boxes?
They are all problems...and they don't include the problem you have found!
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^] (It's in C#, but the pronciples are the same. You should also see here: Commitstrip[^] which might help to explain how such behaviour is considered by the real world.
Why do this:
Dim cmd As OleDb.OleDbCommand = New OleDb.OleDbCommand("SELECT * FROM tbluser", connect)如果您要立即执行此操作:
If you are going to immediately do this:
cmd = New OleDb.OleDbCommand(sql, connect)为什么不创建一个命令?
MsgBox在2005年被更新的MessageBox类和它的Show方法取代。您不应该在新代码中使用旧功能 - 仅限兼容性。
VB.NET是基于Web的。消息框是基于表单的。如果在基于Web的系统中使用消息框,则客户端将永远不会看到它,因为它显示在服务器上。它似乎适用于开发,因为这两台计算机是相同的物理单元 - 但在生产中它会严重失败 - 并说服您的用户您的应用程序是垃圾...
解决了这个问题,很可能你的其他问题就会自行消失。
不要修理它们,你要去找一个痛苦的世界......:叹气:
Why not just create one command?
MsgBox was replaced in 2005 with the more up-to-date MessageBox class and it's Show method. You shouldn't be using the older functions in new code - compatibility only.
VB.NET is web based. Message Boxes are Forms based. If you use a Message Box in a web based system, the client will never see it because it is displayed at the server. It appears to work for development because the two computers are the same physical unit - but in production it fails badly - and convinces your users that your application is rubbish...
Fix that lot, and it's very, very likely that your other problems will just disappear on their own.
Don't fix them, and you are heading for a world of pain...:sigh:
这篇关于UPDATE statement.visual basic 2008中的语法错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
