Question

更新SQL记录是遇到的问题

Protected Sub dg1_UpdateCommand(ByVal source As Object, ByVal e As System.Web.UI.WebControls.DataGridCommandEventArgs) Handles dg1.UpdateCommand
Dim cnn As New SqlConnection("Data Source=localhost;Initial Catalog=cdshop;Integrated Security=True")
Dim strSql As String
Dim pID, pName, pLei, pInfo, pPrice, pSale As TextBox
pID = e.Item.Cells(0).Controls(0)
pName = e.Item.Cells(1).Controls(0)
pLei = e.Item.Cells(2).Controls(0)
pInfo = e.Item.Cells(3).Controls(0)
pPrice = e.Item.Cells(4).Controls(0)
pSale = e.Item.Cells(5).Controls(0)
strSql = "Update Products Set ProductID='" & pID.Text & "',ProductName='" & pName.Text & "',CategoryID=" & CInt(pLei.Text) & ",Description='" & pInfo.Text & "',UnitPrice='" & pPrice.Text & "',OnSale='" & pSale.Text & "'where ProductNum= " & dg1.DataKeys(CInt(e.Item.ItemIndex))
Dim cmd As New SqlCommand(strSql, cnn)
cnn.Open()
cmd.ExecuteNonQuery()
cnn.Close()
dg1.EditItemIndex = -1
dg1.DataBind()
End Sub

pName.Text字段中的单引号与语句中的单引号混淆

Answer 1

使用commad对象的parameters集合来传递参数
否则的话用户输入单引号等是会产生错误，事实上sql注入攻击就是利用这些原理进行的。所以执行sql语句是所有的用户输入信息都要存入parameters中而不是直接构造语句字符串

Answer 2

同上，使用参数来传递字符串。
或者把'Replace为''e.g.
pName.Text.Replace("'", "''");