登录代码:
...........
Dim sqlcmd As New SqlCommand
sqlcmd.Connection = sqlconn
sqlcmd.CommandType = Data.CommandType.Text
sqlcmd.CommandText = "select name,password from admininfo where(name='" + TextBox1.Text + "' and password='" + TextBox2.Text + "')" sqlconn.Open()
Dim sqldr As SqlDataReader
sqldr = sqlcmd.ExecuteReader If sqldr.Read() Then
Response.Write("<script language=""vbscript"">alert:登录成功!</script>")无法显示:"登录成功!"?
Response.Redirect("register.aspx?name=" & TextBox1.Text & " & password=" & TextBox2.Text & "")
Else : Response.Redirect("errormsg.aspx")
End If
sqldr.Close()
sqlconn.Close()
将红色代码换成(听说这样能防止SQL注入):
sqlcmd.parameters("@name").value=textbox1.text
sqlcmd.parameters("@password").value=textbox2.text
sqlcmd.CommandText = "select name,password from admininfo where(name=@name)and (password=@password)
错误:此 SqlParameterCollection 中未包含带有 ParameterName“@name”的 SqlParameter
各位DX帮忙看一下,谢谢了!
...........
Dim sqlcmd As New SqlCommand
sqlcmd.Connection = sqlconn
sqlcmd.CommandType = Data.CommandType.Text
sqlcmd.CommandText = "select name,password from admininfo where(name='" + TextBox1.Text + "' and password='" + TextBox2.Text + "')" sqlconn.Open()
Dim sqldr As SqlDataReader
sqldr = sqlcmd.ExecuteReader If sqldr.Read() Then
Response.Write("<script language=""vbscript"">alert:登录成功!</script>")无法显示:"登录成功!"?
Response.Redirect("register.aspx?name=" & TextBox1.Text & " & password=" & TextBox2.Text & "")
Else : Response.Redirect("errormsg.aspx")
End If
sqldr.Close()
sqlconn.Close()
将红色代码换成(听说这样能防止SQL注入):
sqlcmd.parameters("@name").value=textbox1.text
sqlcmd.parameters("@password").value=textbox2.text
sqlcmd.CommandText = "select name,password from admininfo where(name=@name)and (password=@password)
错误:此 SqlParameterCollection 中未包含带有 ParameterName“@name”的 SqlParameter
各位DX帮忙看一下,谢谢了!
cmd.Parameters.Add(new SqlParameter("@name", SqlDbType.NVarChar, 64))
cmd.Parameters.Add(new SqlParameter("@password", SqlDbType.NVarChar, 128))
sqlcmd.parameters("@name").value=textbox1.text
sqlcmd.parameters("@password").value=textbox2.text
sql语句中没有定义参数,使用参数化sql当然出错了。看你使用的是什么数据库,sqlserver2000用@做为参数前导符,如
sqlcmd.CommandText = "select name,password from admininfo where (name=@name) and (password=@password)"
new SqlParameter添加`
Dim sqlParameters(3) As SqlParameters sqlParameter(0)= New SqlParameter("@description", Data.SqlDbType.VarChar)
sqlParameter(0).value="This is a picture" sqlParameter(1)= New SqlParameter("@description", Data.SqlDbType.Image)
sqlParameter(1).value=content
sqlParameter(2)= New SqlParameter("@imagesize", Data.SqlDbType.Int)
sqlParameter(2).value=content.Length sqlParameter(3)= New SqlParameter("@imagetype", Data.SqlDbType.NVarChar)
sqlParameter(3).value= obj.Extension command.Parameters=sqlParameters楼主在command的Parameters直接加入参数:sqlcmd.parameters("@name").value=textbox1.text 是不行的.