发表新帖
发表新帖

Updating an mdb database table

前端 未结
关注
2 756
半阙折子戏
半阙折子戏 2021-01-25 11:45

I\'m building a simple site using .NET Web Forms and a .mdb database as the data source.

The problem is: I have a working backsite trough which I can create

相关标签:
2条回答
  • 你的背包
    2021-01-25 12:26 
    @"UPDATE pages 
  SET title= '" + pa.title + @"', 
      content = '" + pa.content + @"' 
  WHERE id= " + pa.id
    0 讨论(0)
  • 春和景丽
    2021-01-25 12:42

    Well your update query lacks a comma between fields, but that's only the tip of a big iceberg

    UPDATE pages SET title=" + pa.title + ", content =" + pa.content + " WHERE id=" + pa.id

    your query written in this way is exposed to a big security problem. It is called Sql Injection

    I will show a pseudocode because I don't have a sample of your actual code

    string queryText = "UPDATE pages SET title=@title, content=@content WHERE id=@id"

using(SqlConnection cn = new SqlConnection(connection_string))
using(SqlCommand cmd = new SqlCommand(queryText, cn)
{
    cmd.Parameters.AddWithValue("@title", pa.title);
    cmd.Parameters.AddWithValue("@content", pa.content);
    cmd.Parameters.AddWithValue("@id", pa.id);
    cmd.ExecuteNonQuery();
}

    Working in this way you avoid problems with Sql Injection, parsing of single quotes inside your values and leaking system resource because of connection not disposed.

    See
    Parametrized Queries
    Using Statement

    0 讨论(0)
 看不清?
提交回复
热议问题