0

我正在尝试使用 VB 按钮将数据插入数据库,但它不断显示我为异常准备的错误消息。

谁能帮我解释为什么这不更新数据库?

   Protected Sub Button1_Click(sender As Object, e As System.EventArgs) Handles Button1.Click

    Dim connetionString As String
    Dim sqlCnn As SqlConnection
    Dim sql As String
    Dim adapter As New SqlDataAdapter
    Dim Customer As String = TextBox1.Text
    Dim Product As String = TextBox2.Text
    Dim Location As String = TextBox3.Text
    Dim Details As String = TextBox4.Text
    Dim Owners As String = DropDownList1.Text
    Dim Urgency As String = DropDownList2.Text


    connetionString = "Data Source=ZUK55APP02;Initial Catalog=BugFixPortal;User ID=SLC***;Password=rep***"
    sql = "INSERT INTO Requests (Owner, Customer, Product, Location, Urgency, Details) VALUES ('" & Owners & ", " & Customer & ", " & Product & ", " & Location & ", " & Urgency & ", " & Details & "')"
    sqlCnn = New SqlConnection(connetionString)

    Try
        sqlCnn.Open()
        adapter.UpdateCommand = sqlCnn.CreateCommand
        adapter.UpdateCommand.CommandText = sql
        adapter.UpdateCommand.ExecuteNonQuery()
        sqlCnn.Close()

    Catch ex As Exception
        MsgBox("Unable to update Database with Request - Please speak to Supervisor!")

    End Try

End Sub
4

5 回答 5

2

我不会走这条路,因为你的代码对 SQL 注入很弱

您应该改用参数。如下所示

c.Open();
string insertString = @"insert into YourTable(name, street, city,....) values(@par1,  @par2, @parN,....)"
SqlCommand cmd = new SqlCeCommand(insertString, c);
cmd.Parameters.Add("@par1", SqlDbType.VarChar).Value = "MyName";
//etc
cmd.ExecuteNonQuery();
c.Close();
于 2012-05-25T16:35:59.540 回答
1

您错误地引用了您的价值观。

此字符串在所有值周围都有一个开始和结束单引号,这是不正确的。

VALUES ('" & Owners & ", " & Customer & ", " & Product & ", " & Location & ", " & Urgency & ", " & Details & "')"

相反,在字符数据周围加上单引号,例如,如果Product是 varchar,它看起来像这样:

VALUES (" & Owners & ", " & Customer & ", '" & Product & "', " & Location & ", " & Urgency & ", " & Details & ")"

但是,真正的问题是您应该改用参数化查询。此代码容易受到 SQL 注入攻击。

于 2012-05-25T16:32:21.273 回答
1

改变这个;

MsgBox("Unable to update Database with Request - Please speak to Supervisor!")

像这样的东西;

MsgBox("Unable to update Database with Request - Please speak to Supervisor!" & ex.Message)

它将为您提供有关异常的更多详细信息,但是快速浏览一下我可以看到一个问题,您尝试插入的值是字符串,您已将所有值包含在一组 ' 字符中,而不是包含每个一对 ' 值中的字符串参数,即

sql = "INSERT INTO Requests (Owner, Customer, Product, Location, Urgency, Details) VALUES ('" & Owners & "', '" & Customer & "', '" & Product & "',' " & Location & "', '" & Urgency & "', '" & Details & "')"
于 2012-05-25T16:34:46.123 回答
1

你真的应该考虑参数化你的查询,因为你很容易受到 SQL 注入攻击。看这里

就您的代码本身而言,您的 SQL 语法是错误的,因为您需要在每个值周围加上撇号。尝试这个:

sql = "INSERT INTO Requests (Owner, Customer, Product, Location, Urgency, Details)
VALUES ('" & Owners & "', '" & Customer & "', '" & Product &
     "', '" & Location & "', '" & Urgency & "', '" & Details & "')"

这是一个使用参数的示例

sql = "INSERT INTO Requests (Owner, Customer, Product, Location, Urgency, Details)
VALUES ('@Owners', '@Customer', '@Product', '@Location', '@Urgency', '@Details')"

然后像这样添加参数:

command.Parameters.AddWithValue("@Owners", Owners)
command.Parameters.AddWithValue("@Customer", Customer)
command.Parameters.AddWithValue("@Product", Product)
command.Parameters.AddWithValue("@Location", Location)
command.Parameters.AddWithValue("@Urgency", Urgency)
command.Parameters.AddWithValue("@Details", Details)
于 2012-05-25T16:34:46.450 回答
0

我想你想用adapter.InsertCommand而不是adapter.UpdateCommand

Try
    sqlCnn.Open()
    adapter.UpdateCommand = sqlCnn.CreateCommand //(adapter.InsertCommand)
    adapter.UpdateCommand.CommandText = sql //(adapter.InsertCommand)
    adapter.UpdateCommand.ExecuteNonQuery() //(adapter.InsertCommand)
    sqlCnn.Close()

Catch ex As Exception
    MsgBox("Unable to update Database with Request - Please speak to Supervisor!")

End Try

并同意参数化的 sql 查询

有关更多信息,请参阅http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqldataadapter.aspx

于 2012-05-25T16:46:44.957 回答