1

我很难将 WONum 插入到我的 sql 字符串中。我尝试在 WONum 周围使用 ' 和 double ''。有人还建议 # 和 [] 围绕它,但到目前为止没有任何效果。

我不断收到以下错误:“1577”附近的语法不正确

WONum 值在运行时实际上是 WO-1577,但是当 DA.fill 被执行时,我得到了那个错误。我开始认为破折号在 sql 中做了一些我不知道的事情。任何帮助都会有所帮助,因为我必须在我的应用程序中执行更多类似的功能。

Public Function GetTechTimes(ByVal WONum As String)

    Dim strSQL As String = "Select customer_name, workorder_work_to_be_performed, workorder_work_performed, workorder_notes, workorder_warranty_work, workorder_open_date, workorder_status,workorder_completion_date, wo_tech_name, wo_tech_time, wo_parts_description from Customers, workorders, WorkOrder_Technicians, WorkOrder_Parts Where(customer_id = workorder_customer And wo_tech_wo_id = workorder_id And wo_parts_wo_id = workorder_id And workorder_number = " & WONum & ""
    Dim DA As New SqlDataAdapter(strSQL, Conn)
    Dim DS As New DataSet
    DA.Fill(DS, "TechTimes")
    Return DS
End Function
4

2 回答 2

5

使用Sql-Parameters!这将避免转换或其他问题 - 更重要的是 - 防止SQL 注入攻击

Public Function GetTechTimes(ByVal WONum As String) As DataSet
    Dim strSQL As String = "SELECT customer_name, " & Environment.NewLine & _
    "workorder_work_to_be_performed," & Environment.NewLine & _
    "workorder_work_performed, " & Environment.NewLine & _
    "workorder_notes, " & Environment.NewLine & _
    "workorder_warranty_work, " & Environment.NewLine & _
    "workorder_open_date, " & Environment.NewLine & _
    "workorder_status, " & Environment.NewLine & _
    "workorder_completion_date," & Environment.NewLine & _
    "wo_tech_name, " & Environment.NewLine & _
    "wo_tech_time, " & Environment.NewLine & _
    "wo_parts_description" & Environment.NewLine & _
    "FROM(customers," & Environment.NewLine & _
    "       workorders," & Environment.NewLine & _
    "       workorder_technicians," & Environment.NewLine & _
    "       workorder_parts)" & Environment.NewLine & _
    "WHERE customer_id = workorder_customer " & Environment.NewLine & _
    "AND wo_tech_wo_id = workorder_id " & Environment.NewLine & _
    "AND wo_parts_wo_id = workorder_id " & Environment.NewLine & _
    "AND workorder_number = @workorder_number "

    Using con = New SqlConnection(YourConnectionString)
        Using da = New SqlDataAdapter(strSQL, con)
            da.SelectCommand.Parameters.AddWithValue("@workorder_number", WONum)
            Dim DS As New DataSet
            da.Fill(DS)
            Return DS
        End Using
    End Using
End Function

请注意,我还使用Using-statements 来确保即使在出现异常的情况下也能处理所有内容。

顺便说一下,你的例外的原因:你在这里有一个左大括号:Where(customer_id它从来没有关闭过。

于 2013-01-16T14:40:22.193 回答
0

只要workorder_number是一个字符串,那么您只需要在 WONum 周围加上单引号 ' 即可。

您不需要# 或方括号。

如果它不适用于单引号,请确保您已正确识别/隔离您的问题。从你的 sql 的末尾删除And workorder_number = " & WONum & "",看看它是否在没有它的情况下工作。如果不是,那么您的问题不在 WONum 中,而是在字符串的前面。

于 2013-01-16T14:37:46.553 回答