0
我有一个模式弹出应该上传文件。这样做很好,除了它不给它们一个标题,因此没有任何东西显示在我的页面上,因为Title是它们在列表中显示的方式。我应该用什么替换LinkTitle.Text才能使它工作? 我想解决这个家伙的代码,因为它没有正常工作。我在下面添加了一条评论,其中有参数化的新代码。这是在使用Microsoft SQL Server的ASP.net 4.0 VB中。INSERT语句忽略一块
Protected Sub SubmitDocument_Click(ByVal sender As Object, ByVal e As EventArgs) Handles SubmitDocument.Click
DocumentModal.Hide()
'Builds the full absolute URL to be inserted into the database.
Dim hostURL As String = Request.Url.Scheme & "://" & Request.Url.Host & ":" & Request.Url.Port & Request.ApplicationPath
Dim sqlFileHREF As String = "INSERT INTO Marketing (ProductID, MarketingTypeID, MarketingTitle, MarketingData) VALUES (" & ProductID.Value & " ,4, '" & LinkTitle.Text & "', '" & hostURL & "uploads/" & ProductID.Value & "/" & DocumentUpload.FileName & "')"
sqlFileHREF.Replace("'", "''")
'Create SQL Connection
Dim SqlConnection As New SqlConnection("****************************************")
SqlConnection.Open()
Dim sqlCommand As New SqlCommand(sqlFileHREF, SqlConnection)
sqlCommand.ExecuteNonQuery()
SqlConnection.Close()
Response.Redirect(Request.RawUrl)
End Sub
<!-- Add a Document -->
<li>
<asp:LinkButton ID="DocumentButton" runat="server">Document</asp:LinkButton>
<asp:Panel ID="DocumentPanel" runat="server" CssClass="modalPopup" Style="display:none">
<asp:FileUpload ID="DocumentUpload" runat="server" />
<asp:Button ID="SubmitDocument" runat="server" Text="Upload" onclick="SubmitDocument_Click" /><asp:Button ID="CancelDocument" runat="server" Text="Cancel" /><asp:HiddenField ID="filename" runat="server" />
</asp:Panel>
<asp:ModalPopupExtender ID="DocumentModal" runat="server" DropShadow="True" DynamicServicePath="" Enabled="True" PopupControlID="DocumentPanel" TargetControlID="DocumentButton"></asp:ModalPopupExtender>
</li>
你在哪里做这个和什么? – Fionnuala
备注:使用参数NOT字符串连接。您正在询问SQL注入漏洞。 –
当您显示弹出窗口时,您提供LinkTitle.Text,否? – gbn