SQL Injection prevention with Microsoft Access and VB.NET
I\'m a beginner in ASP.NET so I have some questions about how to prevent SQL injection in ASP.NET. My programming language is VB.NET, not C#, and I\'m using Microsoft Access
-
Here is a very simple ASP.NET example using a parameterized query via OleDb in VB.NET:
Default.aspx
<%@ Page Title="Home Page" Language="vb" MasterPageFile="~/Site.Master" AutoEventWireup="false" CodeBehind="Default.aspx.vb" Inherits="vbOleDbSite._Default" %>First Name:
Last Name:
Status: Awaiting submission...Default.aspx.vb
Public Class _Default Inherits System.Web.UI.Page Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load End Sub Protected Sub btnAddUser_Click(sender As Object, e As EventArgs) Handles btnAddUser.Click Dim newID As Long = 0 Using con As New OleDb.OleDbConnection con.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\__tmp\testData.accdb;" con.Open() Using cmd As New OleDb.OleDbCommand cmd.Connection = con cmd.CommandText = "INSERT INTO UsersTable (LastName, FirstName) VALUES (?, ?);" cmd.Parameters.AddWithValue("?", Me.LastName.Text) cmd.Parameters.AddWithValue("?", Me.FirstName.Text) cmd.ExecuteNonQuery() End Using Using cmd As New OleDb.OleDbCommand cmd.Connection = con cmd.CommandText = "SELECT @@IDENTITY" newID = cmd.ExecuteScalar() End Using con.Close() End Using Me.spanStatus.InnerText = "User """ & Me.FirstName.Text & " " & Me.LastName.Text & _ """ has been added (ID: " & newID.ToString() & ")." End Sub End ClassNotes:
The parameterized query uses "?" instead of "real" names for the parameters because Access OLEDB ignores parameter names. The parameters must be defined in the exact order that they appear in the
OleDbCommand.CommandText.The [UsersTable] table has an
AutoNumberprimary key, andSELECT @@IDENTITYretrieves the new key value created by theINSERT INTOstatement.
讨论(0)
加载中...
- 热议问题