每当我运行此代码时，我收到有关插入格式的错误 [英] Whenever I Run This Code, I Receive An Error About Insert Format

问题描述

Dim conn As New OleDbConnection(" Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Dew\Documents\StudentAttendance.mdb")
        conn.Open()
        Dim cmd As OleDbCommand
        cmd = conn.CreateCommand()
        If (TextBox2.Text = TextBox3.Text) Then
            cmd.CommandText = "INSERT INTO Login (Nam, Password) VALUES ('" & TextBox1.Text & "','" & TextBox2.Text & "');"
            Dim i As Integer
            i = cmd.ExecuteNonQuery()
            If (i = 1) Then
                MessageBox.Show("Success!!")
            Else
                MessageBox.Show("Failure!!")
            End If

推荐答案

从一开始你的方法就错了。您永远不应该通过连接从UI获取的字符串来创建查询。相反，您需要使用参数化语句。请参阅： http://msdn.microsoft.com/en-us/library/ff648339.aspx [ ^ ]。



如果你这样做，你的应用程序完全容易受到众所周知的漏洞的攻击： SQL注入。用户可以在UI中编写任何内容，包括一些SQL片段。你明白了吗？具体方法如下： http://xkcd.com/327 [ ^ ]。



请查看我过去的答案：

EROR IN com.ExecuteNonQuery（）; [ ^ ]，

名称未显示在名称中？ [ ^ ]。

-SA

Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements. Please see: http://msdn.microsoft.com/en-us/library/ff648339.aspx[^].

If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327[^].

Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].

—SA

这篇关于每当我运行此代码时，我收到有关插入格式的错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！