0

这段代码有什么问题?

Dim mycon As OleDbConnection
    Dim cmd As OleDbCommand
    Dim sqlstring, game, ram, vga, scr, download, gametype, size As String
    game = TextBox1.Text
    download = TextBox2.Text
    scr = TextBox3.Text
    vga = TextBox4.Text
    ram = TextBox5.Text
    size = TextBox6.Text
    gametype = DropDownList1.SelectedValue.ToString
    mycon = New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" & Server.MapPath("../games.mdb"))
    mycon.Open()
    sqlstring = "INSERT INTO [Games] ( Name , url , image , Vga , Ram , Size , Type ) VALUES ('" + game + "' , '" + download + "' , '" + scr + "' , '" + vga + "' , '" + ram + "' , '" + size + "' , '" + gametype + "')"
    cmd = New OleDbCommand(sqlstring, mycon)
    cmd.ExecuteNonQuery()
    mycon.Close()

当我运行它时,我得到:

error in 
Line 21:         cmd.ExecuteNonQuery()

游戏架构 ID|名称|网址|图像|VGA|内存|大小|类型

堆栈跟踪:

[OleDbException (0x80040e14): Syntax error in INSERT INTO statement.]
   System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr) +1090740
   System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult) +247
   System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult) +189
   System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult) +58
   System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method) +162
   System.Data.OleDb.OleDbCommand.ExecuteNonQuery() +107
   admin_editgames.Button1_Click(Object sender, EventArgs e) in E:\New folder (4)\WebSite1\admin\editgames.aspx.vb:23
   System.Web.UI.WebControls.Button.OnClick(EventArgs e) +9553594
   System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +103
   System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
   System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13
   System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +35
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1724
4

1 回答 1

0

您的任何 TextBox 输入的输入值中是否有撇号(“'”)?如果是这样,你需要用另一个撇号来逃避它们:

game = Replace(TextBox1.Text, "'", "''")
' repeated for all variables

当您阅读有关 SQL 注入攻击的信息时,这类代码就是它们发生的方式。

于 2012-12-30T05:35:57.737 回答