62,046
社区成员
发帖
与我相关
我的任务
分享我在使用ASP.NET+C#操作数据库遇到点问题,HELP
在aspx页里放了几个TextBox
然后在.cs文件里写代码,目的是实现加入一条新记录
写入数据库代码如下:
================================================================================private void Write_Click(object sender, System.EventArgs e)
{
string conStr = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" + Server.MapPath(".") + "..\\DataBase\\Gbook.mdb";
string insertStr = "Insert into Gbook (Title,Username,Sex,Email,Oicq,Homepage,HeartPic,HeadPic,Content,Uptime) Values ('"
+ title.Text + "','"
+ Username.Text + "','"
+ Sex.SelectedItem.Text + "','"
+ mail.Text + "','"
+ OICQ.Text + "','"
+ homepage.Text + "','"
+ Pic.SelectedItem.Value + "','"
+ Head.SelectedItem.Value + "','"
+ content.Text + "','"
+ DateTime.Now.ToString() + "')";
OleDbConnection conn = new OleDbConnection(conStr);
conn.Open();
OleDbCommand comm = new OleDbCommand(insertStr,conn);
comm.ExecuteNonQuery();
conn.Close();
Response.Redirect("Default.aspx");
}
================================================================================
其实添加记录正常,只是在content.Text添加比如“ ' ” 之类的东西,就会出错。写两个''正常,但是前台只显示了一个 ' ,单单只写一个 '的话,就会
提示 语法错误 (操作符丢失) 。
请问怎么解决,最好能详细说明,谢谢!
然后在.cs文件里写代码,目的是实现加入一条新记录
写入数据库代码如下:
================================================================================private void Write_Click(object sender, System.EventArgs e)
{
string conStr = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" + Server.MapPath(".") + "..\\DataBase\\Gbook.mdb";
string insertStr = "Insert into Gbook (Title,Username,Sex,Email,Oicq,Homepage,HeartPic,HeadPic,Content,Uptime) Values ('"
+ title.Text + "','"
+ Username.Text + "','"
+ Sex.SelectedItem.Text + "','"
+ mail.Text + "','"
+ OICQ.Text + "','"
+ homepage.Text + "','"
+ Pic.SelectedItem.Value + "','"
+ Head.SelectedItem.Value + "','"
+ content.Text + "','"
+ DateTime.Now.ToString() + "')";
OleDbConnection conn = new OleDbConnection(conStr);
conn.Open();
OleDbCommand comm = new OleDbCommand(insertStr,conn);
comm.ExecuteNonQuery();
conn.Close();
Response.Redirect("Default.aspx");
}
================================================================================
其实添加记录正常,只是在content.Text添加比如“ ' ” 之类的东西,就会出错。写两个''正常,但是前台只显示了一个 ' ,单单只写一个 '的话,就会
提示 语法错误 (操作符丢失) 。
请问怎么解决,最好能详细说明,谢谢!
...全文
请发表友善的回复…
发表回复
SnApnet 2003-09-12
- 打赏
- 举报
感谢saucer(思归)
问题解决了。谢谢
问题解决了。谢谢
jjcccc 2003-09-12
- 打赏
- 举报
sql server 中的转义字符为',改成下面这样试试
string insertStr = "Insert into Gbook (Title,Username,Sex,Email,Oicq,Homepage,HeartPic,HeadPic,Content,Uptime) Values ('"
+ title.Text + "','"
+ Username.Text + "','"
+ Sex.SelectedItem.Text + "','"
+ mail.Text + "','"
+ OICQ.Text + "','"
+ homepage.Text + "','"
+ Pic.SelectedItem.Value + "','"
+ Head.SelectedItem.Value + "','"
+ content.Text.Replace("'","''") + "','"
+ DateTime.Now.ToString() + "')";
OleDbConnection conn = new OleDbConnection(conStr);
conn.Open();
OleDbCommand comm = new OleDbCommand(insertStr,conn);
comm.ExecuteNonQuery();
conn.Close();
Response.Redirect("Default.aspx");
}
string insertStr = "Insert into Gbook (Title,Username,Sex,Email,Oicq,Homepage,HeartPic,HeadPic,Content,Uptime) Values ('"
+ title.Text + "','"
+ Username.Text + "','"
+ Sex.SelectedItem.Text + "','"
+ mail.Text + "','"
+ OICQ.Text + "','"
+ homepage.Text + "','"
+ Pic.SelectedItem.Value + "','"
+ Head.SelectedItem.Value + "','"
+ content.Text.Replace("'","''") + "','"
+ DateTime.Now.ToString() + "')";
OleDbConnection conn = new OleDbConnection(conStr);
conn.Open();
OleDbCommand comm = new OleDbCommand(insertStr,conn);
comm.ExecuteNonQuery();
conn.Close();
Response.Redirect("Default.aspx");
}
zhongkeruanjian 2003-09-12
- 打赏
- 举报
用\转义一下,试试
saucer 2003-09-12
- 打赏
- 举报
sorry, replace comm.Paramters with comm.Parameters.
saucer 2003-09-12
- 打赏
- 举报
that is classic SQL inject attack, either you have to filter the text or use a paramterized query
string insertStr = "Insert into Gbook (Title,Username,Sex,Email,Oicq,Homepage,HeartPic,HeadPic,Content,Uptime) Values (?,?,?,?,?,?,?,?,?,?)";
OleDbConnection conn = new OleDbConnection(conStr);
conn.Open();
OleDbCommand comm = new OleDbCommand(insertStr,conn);
comm.Paramters.Add("@Title",title.Text);
comm.Paramters.Add("@User",Username.Text);
comm.Paramters.Add("@Sex",Sex.SelectedItem.Text);
comm.Paramters.Add("@Email",mail.Text);
comm.Paramters.Add("@Oicq",OICQ.Text);
comm.Paramters.Add("@Homepage",homepage.Text );
comm.Paramters.Add("@HeartPic",Pic.SelectedItem.Value);
comm.Paramters.Add("@HeadPic",Head.SelectedItem.Value);
comm.Paramters.Add("@Content",content.Text);
comm.Paramters.Add("@Uptime",DateTime.Now.ToString());//comm.Paramters.Add("@Uptime",DateTime.Now); //>>
comm.ExecuteNonQuery();
conn.Close();
Response.Redirect("Default.aspx");
string insertStr = "Insert into Gbook (Title,Username,Sex,Email,Oicq,Homepage,HeartPic,HeadPic,Content,Uptime) Values (?,?,?,?,?,?,?,?,?,?)";
OleDbConnection conn = new OleDbConnection(conStr);
conn.Open();
OleDbCommand comm = new OleDbCommand(insertStr,conn);
comm.Paramters.Add("@Title",title.Text);
comm.Paramters.Add("@User",Username.Text);
comm.Paramters.Add("@Sex",Sex.SelectedItem.Text);
comm.Paramters.Add("@Email",mail.Text);
comm.Paramters.Add("@Oicq",OICQ.Text);
comm.Paramters.Add("@Homepage",homepage.Text );
comm.Paramters.Add("@HeartPic",Pic.SelectedItem.Value);
comm.Paramters.Add("@HeadPic",Head.SelectedItem.Value);
comm.Paramters.Add("@Content",content.Text);
comm.Paramters.Add("@Uptime",DateTime.Now.ToString());//comm.Paramters.Add("@Uptime",DateTime.Now); //>>
comm.ExecuteNonQuery();
conn.Close();
Response.Redirect("Default.aspx");
SnApnet 2003-09-12
- 打赏
- 举报
up
