0

这是我使用文本框和组合框更新记录的代码,但它在第 1 行下方返回错误:错误语法靠近“,”

但是当我检查我的代码时,我找不到任何错误,请帮我修改谢谢!

Private Sub btnUpdate_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnUpdate.Click
    Dim sqlconn As New SqlClient.SqlConnection
    sqlconn.ConnectionString = "server = SKPI-APPS1;" & _
    "Database = EOEMS;integrated security=true"

    Dim myCommand As SqlCommand
    Try

        ''update command
        sqlconn.Open()

        myCommand = New SqlCommand("UPDATE tblOfficeEquipmentProfile SET OE_Category = '" & cmbCategory.Text & "',OE_SubCategory = '" & cmbSubCategory.Text & "', OE_ID = '" & txtOEID.Text & "', OE_Name = '" & txtName.Text & "', OE_User = '" & txtUser.Text & "', OE_Brand = '" & cmbBrand.Text & "', OE_Model = '" & cmbModel.Text & "', OE_Specs = '" & txtSpecs.Text & "', OE_SerialNo = '" & txtSerialNo.Text & "', OE_PropertyNo = '" & txtPropertyNo.Text & "', OE_MacAddress = '" & txtMacAddress.Text & "', OE_Static_IP = '" & txtStaticIp.Text & "', OE_Vendor = '" & cmbVendor.Text & "', OE_PurchaseDate = '" & txtPurchaseDate.Text & "', OE_WarrantyInclusiveYear = '" & cmbWarrantyInclusiveYear.Text & "', OE_WarrantyStatus = '" & txtWarrantyStatus.Text & "', OE_Status = '" & txtStatus.Text & "', OE_Dept_Code = '" & cmbDeptCode.Text & "', OE_Location_Code = '" & cmbLocationCode.Text & "', OE_Remarks ='" & cmbRemarks.Text & "' WHERE OE_Category = '" & cmbCategory.Text & "',OE_SubCategory = '" & cmbSubCategory.Text & "', OE_ID = '" & txtOEID.Text & "', OE_Name = '" & txtName.Text & "', OE_User = '" & txtUser.Text & "', OE_Brand = '" & cmbBrand.Text & "', OE_Model = '" & cmbModel.Text & "', OE_Specs = '" & txtSpecs.Text & "', OE_SerialNo = '" & txtSerialNo.Text & "', OE_PropertyNo = '" & txtPropertyNo.Text & "', OE_MacAddress = '" & txtMacAddress.Text & "', OE_Static_IP = '" & txtStaticIp.Text & "', OE_Vendor = '" & cmbVendor.Text & "', OE_PurchaseDate = '" & txtPurchaseDate.Text & "', OE_WarrantyInclusiveYear = '" & cmbWarrantyInclusiveYear.Text & "', OE_WarrantyStatus = '" & txtWarrantyStatus.Text & "', OE_Status = '" & txtStatus.Text & "', OE_Dept_Code = '" & cmbDeptCode.Text & "', OE_Location_Code = '" & cmbLocationCode.Text & "', OE_Remarks ='" & cmbRemarks.Text & "'", sqlconn)
        myCommand.ExecuteNonQuery()
        MessageBox.Show("Office Equipment Profile Successfully Updated Records")
        sqlconn.Close()
    Catch ex As Exception
        MsgBox(ex.Message)
    End Try

    DisableBoxes()
End Sub
4

1 回答 1

0

除了查询很弱,因为它SQL Injection易受WHERE. 您不应该使用comma来分隔条件,而是使用Conditional Operator诸如AND / OR. 例子,

WHERE OE_Category = '' AND
      OE_SubCategory = '' AND
      OE_ID = '' AND ...

更新 1

Dim  updateStatement As new System.Text.StringBuilder
updateStatement.Append("UPDATE tblofficeequipmentprofile " & vbCrLf)
updateStatement.Append("SET    oe_category = @oe_category, " & vbCrLf)
updateStatement.Append("       oe_subcategory = @oe_subcategory, " & vbCrLf)
updateStatement.Append("       oe_id = @oe_id, " & vbCrLf)
updateStatement.Append("       oe_name = @oe_name, " & vbCrLf)
updateStatement.Append("       oe_user = @oe_user, " & vbCrLf)
updateStatement.Append("       oe_brand = @oe_brand, " & vbCrLf)
updateStatement.Append("       oe_model = @oe_model, " & vbCrLf)
updateStatement.Append("       oe_specs = @oe_specs, " & vbCrLf)
updateStatement.Append("       oe_serialno = @oe_serialno, " & vbCrLf)
updateStatement.Append("       oe_propertyno = @oe_propertyno, " & vbCrLf)
updateStatement.Append("       oe_macaddress = @oe_macaddress, " & vbCrLf)
updateStatement.Append("       oe_static_ip = @oe_static_ip, " & vbCrLf)
updateStatement.Append("       oe_vendor = @oe_vendor, " & vbCrLf)
updateStatement.Append("       oe_purchasedate = @oe_purchasedate, " & vbCrLf)
updateStatement.Append("       oe_warrantyinclusiveyear = @oe_warrantyinclusiveyear, " & vbCrLf)
updateStatement.Append("       oe_warrantystatus = @oe_warrantystatus, " & vbCrLf)
updateStatement.Append("       oe_status = @oe_status, " & vbCrLf)
updateStatement.Append("       oe_dept_code = @oe_dept_code, " & vbCrLf)
updateStatement.Append("       oe_location_code = @oe_location_code, " & vbCrLf)
updateStatement.Append("       oe_remarks = @oe_remarks ")

myCommand = New SqlCommand(updateStatement.ToString(), sqlconn)
myCommand.Parameters.AddWithValue("@Category", cmbCategory.Text)
myCommand.Parameters.AddWithValue("@SubCategory", cmbSubCategory.Text)
myCommand.Parameters.AddWithValue("@OE_ID", txtOEID.Text)
'' other parameters
myCommand.ExecuteNonQuery()
于 2013-04-11T03:23:15.507 回答