C# OleDb更新查询
我不熟悉在C#中使用Access数据库,想知道是否有可能替换此代码C# OleDb更新查询,c#,database,ms-access,oledbcommand,C#,Database,Ms Access,Oledbcommand,我不熟悉在C#中使用Access数据库,想知道是否有可能替换此代码 string sql = "UPDATE Volunteer SET VolunteerName = @VolunteerName, NickName = @NickName, ContactNo = @ContactNo WHERE VolunteerID = @VolunteerID "; dbCmd = new OleDbCommand(sql, dbConn); dbCmd.Parameters.AddWithVa
string sql = "UPDATE Volunteer SET
VolunteerName = @VolunteerName,
NickName = @NickName,
ContactNo = @ContactNo
WHERE VolunteerID = @VolunteerID ";
dbCmd = new OleDbCommand(sql, dbConn);
dbCmd.Parameters.AddWithValue("@VolunteerName", txtLastName.Text);
dbCmd.Parameters.AddWithValue("@NickName", txtFirstName.Text);
dbCmd.Parameters.AddWithValue("@ContactNo", txtContact.Text);
dbCmd.Parameters.AddWithValue("@VolunteerID", txtVolunteerID.Text);
用类似的东西
string sql = "UPDATE Volunteer SET
VolunteerName = "+ txtLastName.Text +",
NickName = "+ txtFirstName.Text +",
ContactNo = "+ txtContact.Text +"
WHERE VolunteerID = "+ txtVolunteerID.Text ";
dbCmd = new OleDbCommand(sql, dbConn);
坏主意,坏主意,坏主意。使用参数的正确版本是正确的方法。唯一的调整是使用正确的类型添加值,而不是使用
AddWIthValue()
.googlesql注入攻击
来了解建议的代码为何不好。