0

我有一个数据库问题,如果我的 sql 是这样的:

Dim Username
Username = request.form(trim("username"))
Username = Replace(username,"'","''") 

Dim email
email = request.form(trim("email"))
email = Replace(email,"'","''")

Dim question
question = request.form(trim("question"))
question = Replace(question,"'","''")

Dim answer
answer = request.form(trim("answer"))
answer = Replace(answer,"'","''")


Dim date_answered
dag = Day(Now())
maand = Month(Now())
jaar = Year(Now())
uur = Hour(Time)
minuten = Minute(Time)
seconden = Second(Time)
datum= jaar & "-" & maand & "-" & dag
tijd = uur & ":" & minuten& ":" & seconden
date_answered = (datum & " " & tijd)

Dim isActive
isActive = "yes"    
sql="UPDATE faqtbl SET "
      sql=sql & "Name='" & username & "',"
      sql=sql & "email='" & email & "',"
      sql=sql & "question='" & question & "',"
      sql=sql & "answer='" & answer & "',"
      sql=sql & "date_answered='" & date_answered & "',"
      sql=sql & "isActive='" & isActive & "'"
      sql=sql & " WHERE ID='" & lngRecordNo &"';"
      on error resume next

在我要添加到数据库中的数据使用双引号之前,完全没有问题。请帮助我如何使用双引号来操作查询?谢谢你.. :)

4

1 回答 1

5

即使数据不使用引号,您的代码也存在问题:您动态生成的 SQL 语句对SQL 插入攻击是开放的。您需要重新编写查询以使用查询参数。这将解决引号问题,并使您的 SQL 更加健壮。

这是一个简短的示例,说明如何修改您update的使用参数:

Imports System.Data.SqlClient
Public Class Example
    Private Sub Update(ByVal userName As System.String, _
            ByVal email As System.String)
        Dim con As SqlConnection = New SqlConnection( _
            "Data Source=.;Integrated Security=True;<...>")
        con.Open()
        Dim cmdText As String = _
            "UPDATE faqtbl SET Name=@UserName,Email=@email"
        Dim cmd As SqlCommand = New SqlCommand(cmdText, con)
        With cmd.Parameters
            .Add(New SqlParameter("@UserName", userName))
            .Add(New SqlParameter("@email", email))
        End With
        cmd.ExecuteNonQuery()
        con.Close()
        con = Nothing
    End Sub
End Class
于 2011-12-18T12:56:46.657 回答