sql = "insert into tbl_nurse(nurseid,nursename,deptname,dob,doj,qualification,salary)"
sql = sql & "values('" & txtNurseid.Text & "','" & TxtNursename.Text & "','" & Cmbdept.Text & "',convert(date,'" & DateTimePicker1.Value & "',103),convert(date,'" & DateTimePicker2.Value & "',103),'" & Txtqualification.Text & "','" & txtsalary.Text & "')"
conn.Execute(sql)
问问题
10275 次
3 回答
3
您应该使用sql-parameters来避免sql-injection并防止出现此类转换问题。
假设 SQL-Server 的示例:
Const sql = "INSERT INTO tbl_nurse(nurseid,nursename,deptname,dob,doj,qualification,salary)" & vbCrLf & _
"VALUES(@nurseid, @nursename, @deptname, @dob, @doj, @qualification, @salary)"
Using con = New SqlConnection("Insert Your Connection String Here")
Using cmd = New SqlCommand(sql, con)
cmd.Parameters.AddWithValue("@nurseid", txtNurseid.Text)
cmd.Parameters.AddWithValue("@nursename", TxtNursename.Text)
cmd.Parameters.AddWithValue("@deptname", Cmbdept.Text)
' -- No conversion problems anymore because you pass a DateTime -- '
cmd.Parameters.AddWithValue("@dob", DateTimePicker1.Value)
' ... other parameters ... '
con.Open()
Dim affectedRecords As Int32 = cmd.ExecuteNonQuery()
End Using
End Using
于 2013-06-19T09:16:03.930 回答
0
试着这样改变..
sql = "insert into tbl_nurse(nurseid,nursename,deptname,dob,doj,qualification,salary)"
sql = sql & " values('" & txtNurseid.Text & "','" & TxtNursename.Text & "','" & Cmbdept.Text & "',#" & format(DateTimePicker1.Value.Date) & "#,#" & format(DateTimePicker2.Value.Date) & "#,'" & Txtqualification.Text & "','" & txtsalary.Text & "')"
conn.Execute(sql)
正如 Tim Scmelter 所说..你最好使用参数化输入
于 2013-06-19T09:15:05.523 回答
0
如下添加参数,它就像魅力一样
cmnd.Parameters.Add("@date_time", SqlDbType.DateTime).Value = datetime.Date;
原帖在这里:
于 2021-04-06T14:48:28.757 回答