0

几天来我一直在努力解决这个问题,并且无法找出以下代码有什么问题。当我单击按钮进行更新时,没有任何更新。顺便说一句,我正在使用 html 表格来显示客户的信息,然后使用表格中的那些文本框来更新字段。但是 SQL 更新语句不起作用。这是代码:

Protected Sub btnUpdate_Click(sender As Object, e As System.EventArgs) Handles btnUpdate.Click

    Dim myConnection As OleDbConnection 

    Dim myCommand As OleDbCommand  

    Dim ID As Integer 

    Dim mySQLString As String, strFirstName As String, strLastName As String, strPhone As String, strEmail, strComment As String, Employee As String, DateCalled, TimeCalled, DateEdited As datetime 

    myConnection = New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source=\wfccdb\datagridview\app_data\t3corp.mdb;")  

    myConnection.Open()  

    ID = Request.QueryString.Item("r") 

    Employee = tbEMP.Text  

    strFirstName = tbFname.Text

    strLastName = tbLname.Text

    strPhone = tbPhone.Text 

    strEmail = tbEmail.Text 

    DateCalled = Convert.ToDateTime(tbDateCalled.Text)  
    TimeCalled = Convert.ToDateTime(tbTimeCalled.Text)  
    strComment = tbComment.Text  
    DateEdited = Now

    mySQLString = "UPDATE customers SET Employee='" + Employee + "', FirstName='" + strFirstName + "', LastName='" + strLastName + "', Phone='" + strPhone + "', Email='" + strEmail + "', DateCalled='" + DateCalled + "', " + _
    "TimeCalled='" + TimeCalled + "', Comment='" + strComment + "', DateEdited='" + DateEdited + "' WHERE ReferenceID=" & Val(ID) & "" 

    myCommand = New OleDbCommand  

    myCommand.Connection = myConnection

    myCommand.CommandText = mySQLString

    myCommand.ExecuteNonQuery()
    myConnection.Close()



    Response.Redirect("ViewEditRecords.aspx?r=" + Request.QueryString.Item("r"))


End Sub
4

2 回答 2

1

首先,你真的应该使用参数化查询——这很容易受到 SQL 注入的影响。

话虽如此,我认为至少您的 DateTime 字段存在问题——插入 MS Access DateTime 字段的正确方法应该是使用#Date#——您的查询将这些字符串插入为不起作用的字符串使用权。

此外,如果您的任何字段中有撇号,这也会中断——使用参数化查询的另一个原因。

希望这有所帮助。

祝你好运。

于 2013-01-25T00:06:31.090 回答
1

您的更新 SQL 字符串包含一些问题。让我们从头开始。

mySQLString = "UPDATE customers SET Employee='" + Employee + "', FirstName='" + strFirstName + "', LastName='" + strLastName + "', Phone='" + strPhone + "', Email='" + strEmail + "', DateCalled='" + DateCalled + "', " + _
"TimeCalled='" + TimeCalled + "', Comment='" + strComment + "', DateEdited='" + DateEdited + "' WHERE ReferenceID=" & Val(ID) & ""

首先,请注意您尝试分配 DateCalled、TimeCalled、DateEdited 的三个日期/时间值。我假设它们是您的 Access 表中的真实日期值。在这种情况下,您需要为该列构造更新语句,如下所示:

".... DateCalled=#" + tbDateCalled.Text + "# ...."

(您需要用# 将日期值括起来)。也为 TimeCalled 执行此操作。

现在,看看你的"' WHERE ReferenceID=" & Val(ID) & "". 如果您检查VAL函数的作用,它会做相反的事情:将字符串转换为数字。因此,在您的情况下,您需要使用 (drop & ""as well,因为不需要它):

"' WHERE ReferenceID=" & CStr(ID)

最后,为什么不在调用后检查错误字符串myCommand.ExecuteNonQuery()。我很确定 Access 会告诉你错误是什么

因此,要结合 sgeddes 的建议,您的最终 SQL 字符串应如下所示:

Employee = Replace(Employee, "''", "'")
Employee = Replace(Employee, "'", "''")
Do this for first name, last name, phone, comment and email to minimise the threat of SQL injections

mySQLString = "UPDATE customers SET Employee='" & Employee & "', FirstName='" & strFirstName & "', LastName='" & strLastName & "', Phone='" & strPhone & "', Email='" & strEmail & "', DateCalled=#" & tbDateCalled.Text & "#, " + _
"TimeCalled=#" & tbTimeCalled.Text & "#, Comment='" & strComment & "', DateEdited=Now() WHERE ReferenceID=" & CStr(ID)
于 2013-01-25T00:09:07.087 回答