-1

当在 SQL Server Management Studio 中用作查询时,该代码可以正常工作并插入到表中。我是 SQL 新手,因此感谢您提供任何帮助,谢谢。

SQL Server Management Studio 查询:

INSERT INTO Site(
    Sub_Company_ID, 
    Site_Name, 
    Site_Code, 
    Site_Address_1, 
    Site_Address_2, 
    Site_Address_3, 
    Site_Address_4, 
    Site_Postcode, 
    Site_Email, 
    Site_Username, 
    Site_Password, 
    Site_Order_Budget, 
    Site_Float, 
    Site_Managment_Percentage, 
    Site_Bond_Percentage, 
    Site_Minimum_Fee) 
    VALUES(
    '01', 
    'a', 
    '1', 
    'c', 
    'd', 
    'e', 
    'f', 
    'g', 
    'h', 
    'i', 
    'j', 
    '1',
    '2', 
    '3',
    '4',
    '5')

但是,当在实际程序中使用时,对于在文本中键入的 site_name 的任何内容,我都会收到异常错误。它说只允许使用常量、表达式或变量——尽管在我的 SQL 语句中使用字符串“a”时我没有这个问题。(这是程序中的一行,我只是想让这里更容易阅读)。

程序代码:

Dim str As String = "INSERT INTO Site(
    Sub_Company_ID, 
    Site_Name, 
    Site_Code, 
    Site_Address_1, 
    Site_Address_2, 
    Site_Address_3, 
    Site_Address_4, 
    Site_Postcode, 
    Site_Email, 
    Site_Username, 
    Site_Password, 
    Site_Order_Budget, 
    Site_Float, 
    Site_Managment_Percentage, 
    Site_Bond_Percentage, 
    Site_Minimum_Fee) 
    VALUES(" 
    & lstSubCompany.SelectedValue & "," 
    & txtSiteName.Text & "," 
    & txtSiteCode.Text & "," 
    & txtAddress1.Text & "," 
    & txtAddress2.Text & "," 
    & txtAddress3.Text & "," 
    & txtAddress4.Text & "," 
    & txtPostcode.Text & "," 
    & txtEmail.Text & ","
    & txtUsername.Text & "," 
    & txtPassword.Text & "," 
    & txtOrderBudget.Text & "," 
    & txtFloat.Text & "," 
    & txtManagmentFee.Text & "," 
    & txtBond.Text & "," 
    & txtMinimumFee.Text & ")" 
4

2 回答 2

0

用字符串分隔符(即)包围您的值'

Dim str As String = "INSERT INTO Site(
    Sub_Company_ID, 
    Site_Name, 
    Site_Code, 
    Site_Address_1, 
    Site_Address_2, 
    Site_Address_3, 
    Site_Address_4, 
    Site_Postcode, 
    Site_Email, 
    Site_Username, 
    Site_Password, 
    Site_Order_Budget, 
    Site_Float, 
    Site_Managment_Percentage, 
    Site_Bond_Percentage, 
    Site_Minimum_Fee) 
    VALUES('" 
    & lstSubCompany.SelectedValue & "','" 
    & txtSiteName.Text & "','" 
    & txtSiteCode.Text & "','" 
    & txtAddress1.Text & "','" 
    & txtAddress2.Text & "','" 
    & txtAddress3.Text & "','" 
    & txtAddress4.Text & "','" 
    & txtPostcode.Text & "','" 
    & txtEmail.Text & "','" 
    & txtUsername.Text & "','" 
    & txtPassword.Text & "','" 
    & txtOrderBudget.Text & "','" 
    & txtFloat.Text & "','" 
    & txtManagmentFee.Text & "','" 
    & txtBond.Text & "','" 
    & txtMinimumFee.Text & "')" 

但是这种插入对 SQL 注入很开放。改用类似的东西SqlCommand

并在存储之前对您的密码进行哈希处理。

于 2013-07-19T14:11:36.963 回答
0

此代码将允许您避免 sql 注入,并且还可以让您不必担心在更新语句中附加正确的 ''。也使其更易于维护。

 Using connection As New SqlConnection(connectionString)

Dim str As String = "INSERT INTO Site(Sub_Company_ID, Site_Name, Site_Code," & _
"Site_Address_1,Site_Address_2, Site_Address_3, Site_Address_4, Site_Postcode," & _
"Site_Email, Site_Username," & _
"Site_Password,Site_Order_Budget,Site_Float, Site_Managment_Percentage," & _
"Site_Bond_Percentage,Site_Minimum_Fee) " & _
"VALUES(@SubCompany,@SiteName,@SiteCode,@Address1,@Address2,@Address3," & _
"@Address4,@Address4,@Postcode,@Email,@Username,@Password,@OrderBudget," & _
"@Float,@Management,@Bond,@MinimumFee)"
            Dim cmd As New SqlCommand(str, connection)
            cmd.Parameters.AddWithValue("@SubCompany", lstSubCompany.SelectedValue)
            cmd.Parameters.AddWithValue("@SubCompany", txtSiteName.Text)
            cmd.Parameters.AddWithValue("@SubCompany", txtSiteCode.Text)
            cmd.Parameters.AddWithValue("@Address1", txtAddress1.Text)
            cmd.Parameters.AddWithValue("@Address2", txtAddress2.Text)
            cmd.Parameters.AddWithValue("@Address3", txtAddress3.Text)
            cmd.Parameters.AddWithValue("@Address4", txtAddress4.Text)
            cmd.Parameters.AddWithValue("@Postcode", txtPostcode.Text)
            cmd.Parameters.AddWithValue("@Email", txtEmail.Text)
            cmd.Parameters.AddWithValue("@Username", txtUsername.Text)
            cmd.Parameters.AddWithValue("@Password", txtPassword.Text)
            cmd.Parameters.AddWithValue("@OrderBudget", txtOrderBudget.Text)
            cmd.Parameters.AddWithValue("@Float", txtFloat.Text)
            cmd.Parameters.AddWithValue("@Management", txtManagmentFee.Text)
            cmd.Parameters.AddWithValue("@Bond", txtBond.Text)
            cmd.Parameters.AddWithValue("@MinimumFee", txtMinimumFee.Text)
            Try
                connection.Open()
                Dim rowsAffected As Integer = cmd.ExecuteNonQuery()
                Console.WriteLine("RowsAffected: {0}", rowsAffected)

            Catch ex As Exception
                Console.WriteLine(ex.Message)
            End Try
        End Using
于 2013-07-19T15:29:15.637 回答