-4

任何人都可以解决下面的代码plz ....

注意:前端 vb8 和后端访问 7

Private Sub SaveData()
    Dim InsertString As String
    InsertString = "Insert into STUDENT DETAILS(SREGNO,SFIRSTNAME,SMIDDLENAME,SLASTNAME,SYEAR,SCOURSE,SSEM,SCLASS,SLANGUAGE)" & "Values('" & Me.TXTSREGNO.Text & "','" & Me.TXTSFIRSTNAME.Text & "','" & Me.TXTSMIDDLENAME.Text & "','" & Me.TXTSLASTNAME.Text & "','" & Me.COMB1SYEAR.Text & "','" & Me.COMB2SCOURSE.Text & "','" & Me.COMB3SSEM.Text & "','" & Me.COMB4SCLASS.Text & "','" & Me.COMB5SLANGUAGE.Text & " ');"
    Dim InsertCommand As New OleDbCommand(InsertString, Con)
    InsertCommand.ExecuteNonQuery()
    MsgBox("New record added successfully.", MsgBoxStyle.Information, "Record Added")
End Sub
4

1 回答 1

3

错误是包含空格的表的名称,因此您需要将其括在方括号中

INSERT INTO [Student Details] ........

但是您确实需要知道如何使用参数化查询。
这段代码真的是Sql Injections的邀请

这就是您可以重新编写代码以使用参数化查询的方式

Dim InsertString As String
InsertString = "Insert into [STUDENT DETAILS] "  & _
"(SREGNO,SFIRSTNAME,SMIDDLENAME,SLASTNAME,SYEAR,SCOURSE,SSEM,SCLASS,SLANGUAGE)" & _
"Values(?,?,?,?,?,?,?,?,?)"
Dim InsertCommand As New OleDbCommand(InsertString, Con)
InsertCommand.Parameters.AddWithValue("@p1", Me.TXTSREGNO.Text )
InsertCommand.Parameters.AddWithValue("@p2", Me.TXTSFIRSTNAME.Text )
InsertCommand.Parameters.AddWithValue("@p3", Me.TXTSMIDDLENAME.Text )
InsertCommand.Parameters.AddWithValue("@p4", Me.TXTSLASTNAME.Text )
InsertCommand.Parameters.AddWithValue("@p5", Me.COMB1SYEAR.Text )
InsertCommand.Parameters.AddWithValue("@p6", Me.COMB2SCOURSE.Text) 
InsertCommand.Parameters.AddWithValue("@p7", Me.COMB3SSEM.Text)
InsertCommand.Parameters.AddWithValue("@p8", Me.COMB4SCLASS.Text )
InsertCommand.Parameters.AddWithValue("@p9", Me.COMB5SLANGUAGE.Text)
InsertCommand.ExecuteNonQuery()

是的,您必须编写更多代码,但对于 Sql Injection,它更安全,并且当您的一个或多个文本框字段碰巧包含单引号时,您将永远不会遇到语法错误。

于 2013-08-19T15:00:33.480 回答