What are the disadvantages of this code :
SqlConnection con = new SqlConnection();
con.ConnectionString = @"Data Source=.\sqlExpr开发者_JAVA技巧ess;Initial Catalog=Learn;Integrated Security=True";
SqlCommand cmd = new SqlCommand();
cmd.CommandText = "Insert Into tblUser(name,family,tel)Values('" + txtName.Text + "','" + txtFamily.Text + "','" + txtTel.Text + "')";
cmd.Connection = con;
cmd.CommandType = CommandType.Text;
con.Open();
cmd.ExecuteNonQuery();
con.Close();
You mean besides the fact that the SqlConnection won't be disposed, and that the SqlCommand is written in such a way as to invite a SQL Injection attack?
Relevant XKCD comic:
http://xkcd.com/327/
One major disadvantage is that you don't quote your strings or use parameterized queries, so somebody who inputs O'Brien for their last name will get an exception.
Of course, that also means that somebody can enter arbitrary SQL into a text box and have you execute it for them. That's bad.
Related to secure coding....
Your code is vulnerable to SQL Injection attacks since you are directly using txtName.text in the code to form a query. Parameterized queries should be used. Additionally, you should validate the txtName.txt before using it. That is it.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论