此webmethod從數據庫中檢索plist,firstaname,lastname,orgid,然後在2個不同的表中插入2行。第一個SQL是好的 - 第二次犯規運行我的vb.net webmethod有什麼問題?
<WebMethod()> _
Public Function Register(ByVal meetingid As String, ByVal myid As String, ByVal PartType As Integer, ByVal startDate As String) As String
Dim connection As New SqlConnection(ConfigurationManager.ConnectionStrings("EPBconnection").ConnectionString)
Dim sSQL As String
Dim plistid As String = ""
Dim LastName As String = ""
Dim FirstName As String = ""
Dim orgID As String = ""
'get plistID
sSQL = "select pl.PLIST_ID"
sSQL = sSQL + " From PERSON_LIST pl"
sSQL = sSQL + " Where MTG_ID = '" + meetingid + "'"
Dim myCommand As New SqlCommand(sSQL, connection)
connection.Open()
Dim myReader As SqlDataReader = myCommand.ExecuteReader
While myReader.Read()
plistid = myReader("PLIST_ID").ToString()
End While
connection.Close()
'get firstname, lastname, orgid
sSQL = "SELECT p.LASTNAME, p.FIRSTNAME, p.ORGA_ID FROM PERSON p WHERE PERSON_ID = '" + myid + "'"
myCommand = New SqlCommand(sSQL, connection)
connection.Open()
myReader = myCommand.ExecuteReader
While myReader.Read()
LastName = myReader("LASTNAME").ToString()
FirstName = myReader("FIRSTNAME").ToString()
orgID = myReader("ORGA_ID").ToString()
End While
connection.Close()
Return "You are registered for this meeting"
End Function
當我刪除它返回的字符串,但否則它不以下(編譯沒有錯誤,無論哪種方式):
While myReader.Read()
LastName = myReader("LASTNAME").ToString()
FirstName = myReader("FIRSTNAME").ToString()
orgID = myReader("ORGA_ID").ToString()
End While
的問題似乎是來自何處myReader.Read()???我不明白爲什麼
您應該考慮使用存儲過程而不是有線SQL,併爲您的代碼添加一些異常處理 – davibq 2013-03-04 17:22:57
我認爲我立即發現錯誤的是,您的代碼易受sql注入攻擊**實際上_begging_被黑客攻擊。 – 2013-03-04 17:25:34
哦,男孩的SQL注入錯誤。請查看參數替換。另外,如果你的問題與SQL有關,你應該向我們提供發送給服務器的實際查詢及其產生的錯誤,而不僅僅是構成查詢的代碼牆。 – millimoose 2013-03-04 17:25:37