我在使用ASP.NET+C#操作数据库遇到点问题，HELP

that is classic SQL inject attack, either you have to filter the text or use a paramterized query          string insertStr = "Insert into Gbook (Title,Username,Sex,Email,Oicq,Homepage,HeartPic,HeadPic,Content,Uptime) Values (?,?,?,?,?,?,?,?,?,?)";OleDbConnection conn = new OleDbConnection(conStr);
         conn.Open();
         OleDbCommand comm = new OleDbCommand(insertStr,conn);
comm.Paramters.Add("@Title",title.Text);
comm.Paramters.Add("@User",Username.Text);
comm.Paramters.Add("@Sex",Sex.SelectedItem.Text);
comm.Paramters.Add("@Email",mail.Text);
comm.Paramters.Add("@Oicq",OICQ.Text);
comm.Paramters.Add("@Homepage",homepage.Text );
comm.Paramters.Add("@HeartPic",Pic.SelectedItem.Value);
comm.Paramters.Add("@HeadPic",Head.SelectedItem.Value);
comm.Paramters.Add("@Content",content.Text);
comm.Paramters.Add("@Uptime",DateTime.Now.ToString());//comm.Paramters.Add("@Uptime",DateTime.Now); //>>comm.ExecuteNonQuery();
conn.Close();
Response.Redirect("Default.aspx");

解决方案 »

免费领取超大流量手机卡，每月29元包185G流量+100分钟通话, 中国电信官方发货

sorry, replace comm.Paramters with comm.Parameters.
sql server 中的转义字符为',改成下面这样试试
string insertStr = "Insert into Gbook (Title,Username,Sex,Email,Oicq,Homepage,HeartPic,HeadPic,Content,Uptime) Values ('"
            + title.Text + "','"
            + Username.Text + "','"
            + Sex.SelectedItem.Text + "','"
            + mail.Text + "','"
            + OICQ.Text + "','"
            + homepage.Text + "','"
            + Pic.SelectedItem.Value + "','"
            + Head.SelectedItem.Value + "','"
            + content.Text.Replace("'","''") + "','"
            + DateTime.Now.ToString() + "')";
         OleDbConnection conn = new OleDbConnection(conStr);
         conn.Open();
         OleDbCommand comm = new OleDbCommand(insertStr,conn);
         comm.ExecuteNonQuery();
         conn.Close();
         Response.Redirect("Default.aspx");
      }
感谢saucer(思归)
问题解决了。谢谢