0 t-sql vb.net asp.net ado.net
Dim cmdSelect As New SqlCommand("SELECT DISTINCT [seat_remain] FROM [a1_ticket] WHERE serv_code =" & lab5.Text & "ORDER BY [Ticket_no] DESC", SQLData)
您正在使用字符串连接来构建SQL查询,而不是参数化查询或存储过程.这就是它的错误.以下是如何改进它:
Dim cmdSelect As New System.Data.SqlClient.SqlCommand("SELECT DISTINCT [seat_remain] FROM [a1_ticket] WHERE serv_code = @serv_code ORDER BY [Ticket_no] DESC", SQLData)
cmdSelect.Parameters.AddWithValue("@serv_code", lab5.Text)
现在您的查询将起作用,而不仅仅是这样,但它对SQL注入是安全的.
| 归档时间: |
|
| 查看次数: |
103 次 |
| 最近记录: |