高分求解!
高分求解!十万火急!C# codeCommentID Request.Form[ID]content Request.Form[txtcontent]title
高分求解!十万火急!
C# codeCommentID = Request.Form["ID"]; content = Request.Form["txtcontent"]; title = Request.Form["title"]; string strSQL = ""; strSQL = "update tablename set content='" + content + "',title='" + title + "'where ID=" + CommentID; Common.SqlHelper.ExecuteSql(Common.SqlHelper.YCSqlServer, strSQL);
Request.Form["TEXTAREA2"]里的值为<img src='http://images.qwsy.com/images/faces/005.gif' border='0' />
所以在执行sql语句的时候肯定会出语法错误
求解决方案!
[解决办法]strSQL = "update tablename set content='" + content.Replace("'","''") + "',title='" + title.Replace("'","''") + "'where ID=" + CommentID;
[解决办法]最好的方法是参数化
strSQL = "update tablename set content=@content,title=@title Where ID=@ID"
cmd.Parameters.AddWithValue("@content",content);
cmd.Parameters.AddWithValue("@title ",title );
cmd.Parameters.AddWithValue("@ID",CommentID );
cmd.ExecuteNonQuery()
[解决办法][解决办法]Request.Form["TEXTAREA2"]里的值为<img src='http://images.qwsy.com/images/faces/005.gif' border='0' />
你要的是这个值吗 还是?
[解决办法][解决办法]参数化。。你这样还容易被sql注入
