Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
Literal1.Text = Request.QueryString("Pno")
On Error Resume Next
Dim SQLData As New System.Data.SqlClient.SqlConnection("workstation id=ws.example.com;packet size=4096;user id=some-user;pwd=some-password;data source=mssql.example.com;persist security info=False;initial catalog=some-db")
Dim cmdSelect As New System.Data.SqlClient.SqlCommand("SELECT * FROM a1_ticket WHERE PNR_no ='" & Literal1.Text & "'", SQLData)
SQLData.Open()
Dim dtrReader As System.Data.SqlClient.SqlDataReader = cmdSelect.ExecuteReader()
If dtrReader.HasRows Then
While dtrReader.Read()
Literal2.Text = dtrReader("bus_type")
Literal3.Text = dtrReader("dep_time")
Literal4.Text = dtrReader("PRN")
Literal5.Text = dtrReader("fro_m")
Literal6.Text = dtrReader("seat_opt")
Literal7.Text = dtrReader("Ticket_no")
Literal8.Text = dtrReader("t_o")
Literal9.Text = dtrReader("taxes")
Literal10.Text = dtrReader("Travels")
Literal11.Text = dtrReader("journey_date")
Literal12.Text = dtrReader("net_pay")
Literal13.Text = dtrReader("name")
开发者_开发百科 Literal14.Text = dtrReader("seat_opt")
Literal15.Text = dtrReader("sel_seat")
Literal16.Text = dtrReader("bd_point")
End While
Else
End If
Dim cmd As New System.Data.SqlClient.SqlCommand("SELECT * FROM a1_vendors WHERE UserId ='" & Request.QueryString("tid") & "'", SQLData)
cmd.ExecuteScalar()
Literal17.Text = dtrReader("travels")
Literal18.Text = dtrReader("Contactno")
SQLData.Close()
dtrReader.Close()
SQLData.Close()
End Sub
What's wrong with this query? It's begging for a SQL injection attack.
See:
Dim cmd As New SqlCommand(
"SELECT * FROM a1_vendors WHERE UserId ='" &
Request.QueryString("tid") & "'", SQLData)
What if Request.QueryString("tid")
contained the value "'' GO DROP TABLE a1_vendors GO SELEC ''
"
Suddenly your command becomes "SELECT * FROM a1_vendors WHERE UserId = '' GO DROP TABLE a1_vendors GO SELECT ''
"
I expect you mean the second one, where you SELECT *
but ExecuteScalar
; ExecuteScalar
only returns one value (as the result) - and it doesn't update a reader, so Literal17
/ Literal18
are getting their values from nowhere.
Following your existing pattern, it should be something like:
' caveat: this is **not** intended as a perfect example; this intentionally
' uses the same pattern as the question; see below for notes
dtrReader = cmd.ExecuteReader()
If dtrReader.Read()
Literal17.Text = dtrReader("travels")
Literal18.Text = dtrReader("Contactno")
End If
more importantly, though
- no separation; everything from connection-string management, account credentials (thanks for those, btw), data access and UI is handled right there in a
Page_Load
event, itself the cause of great gnashing of teeth - susceptible to SQL injection
- no
using
(or the VB equivalent) to make sure you have deterministic cleanup, rather than waiting on garbage collection (in the inevitable event of exceptions)
精彩评论