This is my ASP.NET code:
<html>
<body>
<%
Dim Conn
Conn = "Provider=xxxxxx; Server=xxxxxx; Database=xxxxxx; Trusted_Connection=xxx; "
sql="INSERT IN开发者_Python百科TO xxxx"
sql=sql & " VALUES "
sql=sql & "('" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "')"
on error resume next
Conn.Execute sql,recaffected
if err<>0 then
Response.Write("Update Failed")
else
Response.Write("<h3>"Record Added</h3>")
end if
%>
</body>
</html>
I always get a result of "Update Failed"... Can you see from the code why this is?
Suggest a major refactoring to eliminate your SQL injection vulnerability.
Dim conn As New SqlConnection(SomeConnectionString)
Dim cmd As SqlCommand = conn.CreateCommand()
conn.Open()
cmd.CommandText="INSERT INTO MyTable(Column1, Column2) " & _
" VALUES (@Value1, @Value2)"
cmd.Parameters.AddWithValue("@Value1", Request.Form("xxxx"))
cmd.Parameters.AddWithValue("@Value2", Request.Form("xxxx"))
'add all your parameters as per above '
cmd.ExecuteNonQuery()
You need to take out the command text and use procedures, otherwise you open yourself to security holes. NEVER put your SQL commands on your UI or code-behind. Best practices is stored procedures.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论