您的SQL語法有錯誤;檢查對應於你的MySQL服務器版本在1號線sql語法錯誤
廣東話使用附近「)」正確的語法手冊似乎解決這個錯誤:
protected void Page_Load(object sender, EventArgs e)
{
if (Page.IsPostBack)
{
//It is a postback so check if it was by div click (NOT WORKING because the javascript isnt posting back)
string target = Request["__EVENTTARGET"];
if (target == "DivClicked")
{
string id = Request["__EVENTARGUMENT"];
//Call my delete function passing record id
using (OdbcConnection cn = new OdbcConnection("Driver={MySQL ODBC 3.51 Driver}; Server=localhost; Database=gymwebsite2; User=root; Password=commando;"))
{
cn.Open();
using (OdbcCommand cmd = new OdbcCommand("DELETE FROM WallPosting WHERE idWallPosting="+id+")", cn))
{
cmd.ExecuteNonQuery();
}
}
}
}
string theUserId = Session["UserID"].ToString();
PopulateWallPosts(theUserId);
}
天哪!我當然希望'id'不是'1或1 = 1; DROP TABLE WallPosting; - ' – 2011-03-31 03:13:31
:O你是什麼意思? – 2011-03-31 03:23:28
使用參數化查詢,而不是直接從發佈的表單中獲取值。這是一個SQL注入漏洞,無需將查詢參數化到數據庫中。 – 2011-03-31 03:29:54