以下是我尝试将数据插入“ ArticlesTBL”表中的代码。我也想将图像文件上传到我的计算机。
我收到错误消息:“ UploadedUserFiles”附近的语法不正确。
using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI; using System.Web.UI.WebControls; using System.IO; using System.Data; using System.Data.SqlClient; using System.Web.Configuration; public partial class _CopyOfSubmitArticle : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { } protected void uploadbutton_Click(object sender, EventArgs e) { string UpPath = Server.MapPath("~/UploadedUserFiles"); int imgSize = FileUpload1.PostedFile.ContentLength; string imgName = FileUpload1.FileName; string imgPath = "UploadedUserFiles/" + imgName; if (FileUpload1.PostedFile.ContentLength > 1000000) { Page.ClientScript.RegisterClientScriptBlock(typeof(Page), "Alert", "alert('File is too big')", true); } else { FileUpload1.SaveAs(Server.MapPath(imgPath)); myinfo.Text = "file" + imgPath + "uploaded."; } String connectionString = WebConfigurationManager.ConnectionStrings["ConnectAntiFrack"].ConnectionString; SqlConnection myConnection = new SqlConnection(connectionString); myConnection.Open(); string ArticleImg = "UploadedUserFiles/" + FileUpload1.FileName; string ArticleTitle = ArticleTitleTextBox.Text; string ArticleContent = ArticleContentTextBox.Text; string ArticleType = ArticleTypeDropdown.Text.ToString(); string ArticleAuthor = ArticleAuthorTextBox.Text.ToString(); string ArticleBrief = ArticleBriefTextBox.Text; string ArticleDateTime = DateTime.Now.ToShortTimeString(); string query = "INSERT INTO ArticlesTBL (ArticleTitle, ArticleContent, ArticleType, ArticleImg, ArticleBrief, ArticleDateTime, ArticleAuthor, ArticlePublished, ArticleHomeDisplay, ArticleViews) VALUES (" + ArticleTitle +", " + ArticleContent +", "+ ArticleType +" " + ArticleImg +", "+ ArticleBrief +"," + ArticleDateTime + ", "+ ArticleAuthor +",'False', 'False', '0')"; SqlCommand myCommand = new SqlCommand(query, myConnection); myCommand.ExecuteNonQuery(); // myinfo.Text = "connection to db is made"; myConnection.Close(); }
您应该在查询中使用参数来防止攻击,例如有人输入'); drop table ArticlesTBL;--' 了其中一个作为值之一。
'); drop table ArticlesTBL;--'
string query = "INSERT INTO ArticlesTBL (ArticleTitle, ArticleContent, ArticleType, ArticleImg, ArticleBrief, ArticleDateTime, ArticleAuthor, ArticlePublished, ArticleHomeDisplay, ArticleViews)"; query += " VALUES (@ArticleTitle, @ArticleContent, @ArticleType, @ArticleImg, @ArticleBrief, @ArticleDateTime, @ArticleAuthor, @ArticlePublished, @ArticleHomeDisplay, @ArticleViews)"; SqlCommand myCommand = new SqlCommand(query, myConnection); myCommand.Parameters.AddWithValue("@ArticleTitle", ArticleTitleTextBox.Text); myCommand.Parameters.AddWithValue("@ArticleContent", ArticleContentTextBox.Text); // ... other parameters myCommand.ExecuteNonQuery();
