Fatal编程技术网
  • asp.net/
  • Asp.net 为什么这个查询无法编译?

Asp.net 为什么这个查询无法编译?

asp.net vb.net

Asp.net 为什么这个查询无法编译?,asp.net,vb.net,Asp.net,Vb.net,这个代码怎么了 Dim mycon As OleDbConnection Dim cmd As OleDbCommand Dim sqlstring, game, ram, vga, scr, download, gametype, size As String game = TextBox1.Text download = TextBox2.Text scr = TextBox3.Text vga = TextBox4.Text ram

这个代码怎么了

Dim mycon As OleDbConnection
    Dim cmd As OleDbCommand
    Dim sqlstring, game, ram, vga, scr, download, gametype, size As String
    game = TextBox1.Text
    download = TextBox2.Text
    scr = TextBox3.Text
    vga = TextBox4.Text
    ram = TextBox5.Text
    size = TextBox6.Text
    gametype = DropDownList1.SelectedValue.ToString
    mycon = New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" & Server.MapPath("../games.mdb"))
    mycon.Open()
    sqlstring = "INSERT INTO [Games] ( Name , url , image , Vga , Ram , Size , Type ) VALUES ('" + game + "' , '" + download + "' , '" + scr + "' , '" + vga + "' , '" + ram + "' , '" + size + "' , '" + gametype + "')"
    cmd = New OleDbCommand(sqlstring, mycon)
    cmd.ExecuteNonQuery()
    mycon.Close()
当我运行它时,我得到:

error in 
Line 21:         cmd.ExecuteNonQuery()
游戏模式 id |名称| url |图像| Vga | Ram |大小|类型

堆栈跟踪:

[OleDbException (0x80040e14): Syntax error in INSERT INTO statement.]
   System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr) +1090740
   System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult) +247
   System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult) +189
   System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult) +58
   System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method) +162
   System.Data.OleDb.OleDbCommand.ExecuteNonQuery() +107
   admin_editgames.Button1_Click(Object sender, EventArgs e) in E:\New folder (4)\WebSite1\admin\editgames.aspx.vb:23
   System.Web.UI.WebControls.Button.OnClick(EventArgs e) +9553594
   System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +103
   System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
   System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13
   System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +35
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1724
您的文本框输入值中是否有撇号(“”)?如果是这样,你需要用另一个撇号来逃避:

game = Replace(TextBox1.Text, "'", "''")
' repeated for all variables
当您阅读有关SQL注入攻击的信息时,这类代码就是它们如何发生的。

使用
Sqlparameter
class和SQL数据类型进行查询。谷歌it,请自便。无论何时遇到错误,请发布异常消息,如果适用,请发布stacktrace。此外,在不知道游戏模式的情况下,很难诊断SQL insert问题。好的,我将添加stacktrace。在这种情况下,stacktrace可能不如实际的异常消息和异常类型重要。仍然存在相同的问题ERRORSTAX error insert INTO语句中的错误语法错误。