更新时间:2023-02-13 15:28:17
使用参数化查询,它应该是ove解决问题。
OleDbCommand.Parameters属性(System.Data.OleDb) [ ^ ]
例如:(未经测试)
Use a parameterized query and it should overcome the problem.
OleDbCommand.Parameters Property (System.Data.OleDb)[^]
Exampe: (untested)
cmd = New OleDbCommand("SP_ExpEntry", con)
cmd.CommandType = CommandType.StoredProcedure
cmd.Parameters.AddWithValue("@OperationId", 1)
cmd.Parameters.AddWithValue("@Eid", TxtEXid.Text)
cmd.Parameters.AddWithValue("@ExDt", PKREXdt.Value)
cmd.Parameters.AddWithValue("@EnDT", PkrEntryDt.Value)
正如@losmac所建议的,这里有一些关于SQL注入的资源以及为什么参数化查询***...
SQL注入 - OWASP [ ^ ]
SQL注入预防备忘单 - OWASP [ ^ ]
bobby-tables.com:防止SQL注入的指南 [ ^ ]
As suggested by @losmac here are some resources about SQL Injection and why parameterized queries are best...
SQL Injection - OWASP[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
bobby-tables.com: A guide to preventing SQL injection[^]