asp.net 连接问题答案

【问题标题】：asp.net connection issuesasp.net 连接问题
【发布时间】：2011-08-19 01:19:59
【问题描述】：

这是我的 ASP.NET 代码：

<html>
<body>

<%
Dim Conn
Conn = "Provider=xxxxxx; Server=xxxxxx; Database=xxxxxx; Trusted_Connection=xxx; "


sql="INSERT INTO xxxx"
sql=sql & " VALUES "
sql=sql & "('" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "',"
sql=sql & "'" & Request.Form("xxxx") & "')"

on error resume next
Conn.Execute sql,recaffected
if err<>0 then
  Response.Write("Update Failed")
else
  Response.Write("<h3>"Record Added</h3>")
end if

%>

</body>
</html>

我总是得到“更新失败”的结果...你能从代码中看出这是为什么吗？

【问题讨论】：

标签： asp.net

【解决方案1】：

建议进行重大重构以消除您的 SQL 注入漏洞。

Dim  conn As New SqlConnection(SomeConnectionString)
Dim  cmd As SqlCommand = conn.CreateCommand()

conn.Open()
cmd.CommandText="INSERT INTO MyTable(Column1, Column2)  " & _
                     " VALUES (@Value1, @Value2)"
cmd.Parameters.AddWithValue("@Value1", Request.Form("xxxx"))
cmd.Parameters.AddWithValue("@Value2", Request.Form("xxxx"))
'add all your parameters as per above  '

cmd.ExecuteNonQuery()

【讨论】：

【解决方案2】：

您需要取出命令文本并使用程序，否则您将面临安全漏洞。永远不要将你的 SQL 命令放在你的 UI 或代码隐藏中。最佳实践是存储过程。

【讨论】：