0

我正在尝试向我正在构建的网站添加评论。由于审查的内容被分成 3 个表,我试图在数据库中执行 3 次插入以进行一次审查。该页面在我运行它时显示,所以我知道它大部分都在工作,但是当我单击提交按钮时,我得到一个:

Syntax error (missing operator) in query expression '3')'' error message.

据说问题出在这行代码中:

Line 86:         dbInsert.ExecuteNonQuery()

这是我在本节中的代码:

Dim sql As String = "INSERT INTO MovieReviews (MovieID, MReviewID, ReviewerType, ReviewDate, UserID) "
    sql = sql & " VALUES ('" & movID & "','" & review_id & "','" & 2 & "','" & Date.Now & "'," & uID & "')'"
    Dim sql2 As String = "INSERT INTO MReviewRatings (MReviewID, ValueForMoney, ActingAbility, SpecialEffects, Plot, Total) "
    sql2 = sql2 & " VALUES ('" & movID & "','" & moneyStar(moneyStarRating) & "','" & actingStar(actingStarRating) & "','" & effectsStar(effectStarRating) & "','" & plotStar(plotStarRating) & "','" & totalStar(avg) & "')'"
    Dim sql3 As String = "INSERT INTO MReviewTexts (MReviewID, ReviewText) "
    sql3 = sql3 & " VALUES ('" & review_id & "','" & txtReviewText.Text & "')'"
    dbInsert.CommandText = sql
    dbInsert.CommandType = CommandType.Text
    dbInsert.Connection = aConnection

    dbInsert2.CommandText = sql2
    dbInsert2.CommandType = CommandType.Text
    dbInsert2.Connection = aConnection
    dbInsert3.CommandText = sql3
    dbInsert3.CommandType = CommandType.Text
    dbInsert3.Connection = aConnection
    dbInsert.ExecuteNonQuery()
    dbInsert2.ExecuteNonQuery()
    dbInsert3.ExecuteNonQuery()

我不确定是什么导致了这个问题。有谁知道我如何才能将评论插入数据库?

4

4 回答 4

1

正如 freefaller 所指出的那样,通过以这种方式实现您的代码,您将自己暴露在 SQL 注入攻击中。

你最好这样写你的查询:

Dim sql As String = "INSERT INTO MovieReviews (MovieID, MReviewID, ReviewerType, ReviewDate, UserID) " & _
    " VALUES (@movID,@review_id,@reviewerType,@timestamp,@userid)"
dbInsert.CommandText = sql
dbInsert.CommandType = CommandType.Text
dbInsert.Connection = aConnection
dbInsert.Parameters.Add(New SQLParameter("@movID",movID))
dbInsert.Parameters.Add(New SQLParameter("@review_id",review_id ))
dbInsert.Parameters.Add(New SQLParameter("@reviewerType",2))
dbInsert.Parameters.Add(New SQLParameter("@timestamp",Date.Now))
dbInsert.Parameters.Add(New SQLParameter("@userid",uID))
dbInsert.ExecuteNonQuery()

其余的查询可以得到类似的处理。此更改不仅可以保护您免受 SQL 注入攻击,还可以使您的数据访问层代码更易于管理。

于 2012-12-18T16:54:28.617 回答
0

这条线看起来像是在结尾附近缺少一个单引号(就在 之前uID):

sql = sql & " VALUES ('" & movID & "','" & review_id & "','" & 2 & "','" & Date.Now & "'," & uID & "')'"

s/b:

sql = sql & " VALUES ('" & movID & "','" & review_id & "','" & 2 & "','" & Date.Now & "','" & uID & "')'"
于 2012-12-18T16:35:00.203 回答
0

假设所有的文件都是 Varchar ......

Dim sql As String = "INSERT INTO MovieReviews (MovieID, MReviewID, ReviewerType, ReviewDate, UserID) "
sql = sql & " VALUES ('" & movID & "','" & review_id & "','" & 2 & "','" & Date.Now & "','" & uID & "')"
Dim sql2 As String = "INSERT INTO MReviewRatings (MReviewID, ValueForMoney, ActingAbility, SpecialEffects, Plot, Total) "
sql2 = sql2 & " VALUES ('" & movID & "','" & moneyStar(moneyStarRating) & "','" & actingStar(actingStarRating) & "','" & effectsStar(effectStarRating) & "','" & plotStar(plotStarRating) & "','" & totalStar(avg) & "')"
Dim sql3 As String = "INSERT INTO MReviewTexts (MReviewID, ReviewText) "
sql3 = sql3 & " VALUES ('" & review_id & "','" & txtReviewText.Text & "')"
于 2012-12-18T16:37:35.483 回答
0

您的语句末尾有一个额外的单引号。

目前,字符串将导致类似...

insert into (x,y,z) values ('a','b','c')'

而不是这条线就像......

sql = sql & " VALUES ('" & movID .... uID & "')'"

你应该有(注意缺少')...

sql = sql & " VALUES ('" & movID .... uID & "')"

附带说明,如果您的列是基于数字的,则不需要将值放在单引号内。

您还应该尝试通过使用存储过程来防止SQL 注入攻击

于 2012-12-18T16:38:00.860 回答