0

VB.NETアプリケーションに次のコードがあります。SQLデータを含むデータでOracleテーブルの列を更新しようとしています。アプリケーションを実行すると、「or_cmd_3.ExecuteNonQuery()」行に対して(ORA-00933:SQLコマンドが正しく終了していません)取得します。

コードを削除してTOADまたはSQLDeveloperで実行し、一時変数を偽のデータに置き換えると、正常に更新されます。私は何が欠けていますか?

よろしくお願いします。

  ElseIf (oracle_summary_temp = ueio_tmpALM_Summary) And (oracle_request_ID_temp = ueio_tmpALM_ID) And added_to_alm = "1" AndAlso ({"Deferred", "Rejected", "Closed"}.Contains(ueio_tmpALM_Status)) Then
Dim update_oracle As String = Nothing

update_oracle =
"update SCHEMA.TABLE set ISSUE_ADDED_TO_ALM = '2'," & _
"ISSUE_STATUS = '" & ueio_tmpALM_Status & "'," & _
"ISSUE_REJECTED_REASON = '" & ueio_tmpALM_Rejected & "'," & _
"ISSUE_PHASE = '" & ueio_tmpALM_Current_Phase & "'," & _
"ISSUE_PRIORITY = '" & ueio_tmpALM_Priority & "'," & _
"ISSUE_SYSTEM_IMPACTED = '" & ueio_tmpALM_System_Impacted & "'," & _
"ISSUE_DQ_ANALYST = '" & ueio_tmpALM_DQ_Analyst & "'," & _
"ISSUE_COMMENTS = '" & ueio_tmpALM_Comments & "'," & _
"ISSUE_OWNER_DEPARTMENT = '" & ueio_tmpALM_Owner_Department & "'," & _
"ALM_ISSUE_ID = '" & ueio_tmpALM_ID & "'," & _
"DQ_Team = '" & ueio_tmpALM_DQ_Team & "'" & _
"where ISSUE_SUMMARY = '" & ueio_tmpALM_Summary & "'"

Dim or_cmd= New NetOracle.OracleCommand(update_oracle, OracleConn)
or_cmd.ExecuteNonQuery()
4

1 に答える 1

2

入力文字列を連結するクエリテキストを作成することは、常に悪い習慣です。
1つの理由は、データベースクエリ構文で定義された一重引用符やその他のクエリのようにクエリを壊す文字を削除する必要があることです。しかし、最も重要な理由は、SQLインジェクション攻撃の可能性です。とはいえ、エラーの考えられる理由は、where句の前にスペースがないことです。次のように、パラメータを使用してすべてのテキストを置き換える必要があります。

update_oracle = "update SCHEMA.TABLE set " & _
       "ISSUE_ADDED_TO_ALM = '2'," & _ 
       "ISSUE_STATUS = :tmpALMStatus, " & _
       "ISSUE_REJECTED_REASON = :tmpALMRejected," & _ 
       "ISSUE_PHASE = :tmpALMCurrent_Phase, " & _
       "ISSUE_PRIORITY = :tmpALMPriority," & _
       "ISSUE_SYSTEM_IMPACTED = :tmpALMSystemImpacted," & _ 
       "ISSUE_DQ_ANALYST = :tmpALMDQAnalyst, " & _ 
       "ISSUE_COMMENTS = :tmpALMComments," & _
       "ISSUE_OWNER_DEPARTMENT = :tmpALMOwnerDepartment, " & _ 
       "ALM_ISSUE_ID = :tmpALM_ID," & _ 
       "DQ_Team = :tmpALM_DQ_Team" & _
       " where ISSUE_SUMMARY = :tmpALM_Summary" 

   Dim or_cmd= New NetOracle.OracleCommand(update_oracle, OracleConn)   
   or_cmd.Parameters.AddWithValue(":tmpALMStatus",ueio_tmpALM_Status)
   or_cmd.Parameters.AddWithValue(":tmpALMRejected" ,ueio_tmpALM_Rejected )
   or_cmd.Parameters.AddWithValue(":tmpALMCurrent_Phase",ueio_tmpALM_Current_Phase)
   or_cmd.Parameters.AddWithValue(":tmpALMPriority",ueio_tmpALM_Priority)
   or_cmd.Parameters.AddWithValue(":tmpALMSystemImpacted" ,ueio_tmpALM_System_Impacted)
   or_cmd.Parameters.AddWithValue(":tmpALMDQAnalyst" ,ueio_tmpALM_DQ_Analyst)
   or_cmd.Parameters.AddWithValue(":tmpALMComments",ueio_tmpALM_Comments)
   or_cmd.Parameters.AddWithValue(":tmpALMOwnerDepartment",ueio_tmpALM_Owner_Department)
   or_cmd.Parameters.AddWithValue(":tmpALM_ID",ueio_tmpALM_ID)
   or_cmd.Parameters.AddWithValue(":tmpALM_DQ_Team",ueio_tmpALM_DQ_Team)
   or_cmd.Parameters.AddWithValue(":tmpALM_Summary",ueio_tmpALM_Summary)
   or_cmd.ExecuteNonQuery()
于 2012-05-07T16:38:46.510 に答える