任何人都可以更改以下代码 [英] can any one change the following code
本文介绍了任何人都可以更改以下代码的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
string cmd = string .Format( 更新mobilesubscriberdata1设置 + fieldname + =' + val + '其中m_date ='{0} ''{1}',dateTimePicker1.Value.ToString( yyyy-MM-dd)+ 和id = + Id + );
obj.GetDataTable(cmd);
任何人都可以告诉我上面命令中的错误是什么........ ...
请
解决方案
代码的主要问题是通过将某些字符串连接到某些字符串来编写查询的整个想法取自UI。馊主意。首先,重复的字符串连接真的很糟糕,因为字符串是不可变的(我必须解释这个吗?);你应该使用string.Format。
但更糟糕的是,这段代码打开了一扇通向井的大门已知的漏洞称为 SQL注入。方法如下:
http://xkcd.com/327 [ ^ ]。
如需进一步说明,请参阅我的过去答案和参考页面:
在com.ExecuteNonQuery()中更新EROR; [ ^ ],
你的名字没有显示名字? [ ^ ]。
这是你应该使用的:http://msdn.microsoft.com/en-us/l ibrary / ff648339.aspx [ ^ ]。
-SA
错误是您正在使用字符串连接创建SQL命令,这可能导致数据库损坏甚至完全破坏。使用正确的参数化查询,如文档中所述,并保护自己免受黑客攻击。
string cmd = string .Format( 更新mobilesubscriberdata1 set + fieldname + =' + val + '其中m_date ='{0}'和id = + Id + ,dateTimePicker1.Value.ToString( yyyy-MM-dd ));
用于清洁目的
string cmd = string .Format( 更新mobilesubscriberdata1 set {0} ='{1}'其中m_date ='{2}'和id = {3},fieldname,val,dateTimePicker1.Value.ToString( yyyy-MM-dd),Id);
string cmd = string.Format("Update mobilesubscriberdata1 set " + fieldname + "='" + val + "' where m_date='{0}''{1}'", dateTimePicker1.Value.ToString("yyyy-MM-dd") + " and id=" + Id + "");
obj.GetDataTable(cmd);
can any one tell me what is the error in above command...........
pls
解决方案
The major problem of your code is the whole idea of composing the query by concatenating some strings to some strings taken from UI. Bad idea. First, repeated string concatenation is really bad, because strings are immutable (do I have to explain this?); you should rather usestring.Format.
But, much worse, this code opens wide doors to a well-known exploit called SQL Injection. Here is how:
http://xkcd.com/327[^].
For further explanation, please see my past answers and referenced pages:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].
This is what you should use: http://msdn.microsoft.com/en-us/library/ff648339.aspx[^].
—SA
The error is that you are using string concatenation to create SQL commands, which can lead to corruption or even total destruction of your database. Use proper parameterised queries as described in the documentation and protect yourself from hackers.
string cmd = string.Format("Update mobilesubscriberdata1 set " + fieldname + "='" + val + "' where m_date='{0}'" and id=" + Id + "",dateTimePicker1.Value.ToString("yyyy-MM-dd"));
for cleaner purpose
string cmd = string.Format("Update mobilesubscriberdata1 set {0}='{1}' where m_date='{2}' and id={3}",fieldname,val,dateTimePicker1.Value.ToString("yyyy-MM-dd"),Id);
这篇关于任何人都可以更改以下代码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
