每当我运行此代码时,我收到有关插入格式的错误 [英] Whenever I Run This Code, I Receive An Error About Insert Format
本文介绍了每当我运行此代码时,我收到有关插入格式的错误的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
Dim conn As New OleDbConnection(" Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Dew\Documents\StudentAttendance.mdb")
conn.Open()
Dim cmd As OleDbCommand
cmd = conn.CreateCommand()
If (TextBox2.Text = TextBox3.Text) Then
cmd.CommandText = "INSERT INTO Login (Nam, Password) VALUES ('" & TextBox1.Text & "','" & TextBox2.Text & "');"
Dim i As Integer
i = cmd.ExecuteNonQuery()
If (i = 1) Then
MessageBox.Show("Success!!")
Else
MessageBox.Show("Failure!!")
End If
推荐答案
从一开始你的方法就错了。您永远不应该通过连接从UI获取的字符串来创建查询。相反,您需要使用参数化语句。请参阅: http://msdn.microsoft.com/en-us/library/ff648339.aspx [ ^ ]。
如果你这样做,你的应用程序完全容易受到众所周知的漏洞的攻击: SQL注入。用户可以在UI中编写任何内容,包括一些SQL片段。你明白了吗?具体方法如下: http://xkcd.com/327 [ ^ ]。
请查看我过去的答案:
EROR IN com.ExecuteNonQuery(); [ ^ ],
名称未显示在名称中? [ ^ ]。
-SA
Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements. Please see: http://msdn.microsoft.com/en-us/library/ff648339.aspx[^].
If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327[^].
Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].
—SA
这篇关于每当我运行此代码时,我收到有关插入格式的错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文