0

他在那里,我正在研究一个cms,同时尝试更新命令来更新记录,它不起作用。

这是更新的完整代码,

Dim ID, RegNo, BedNo, BedType, Charges, PatName, PatAge, PatAddr, Phone, CheckupDate, Disease, BloodGroup, Doctor, Remarks As String

    RegNo = txtRegNo.Text
    BedNo = CmbBedNo.SelectedItem.ToString()
    BedType = CmbBedType.SelectedItem.ToString()
    Charges = txtCharges.Text
    PatName = txtPatName.Text
    PatAge = txtPatAge.Text
    PatAddr = txtPatAdd.Text
    Phone = txtPhone.Text
    CheckupDate = txtDate.Text
    Disease = txtDisease.Text
    BloodGroup = cmbBloodGrp.SelectedItem.ToString()
    Doctor = cmbDoctor.SelectedItem.ToString()
    Remarks = txtRemarks.Text

    ID = txtRegNo.Text

    Dim conStudent As New OleDbConnection
    Dim comStudent As New OleDbCommand


    conStudent.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=F:\DBProject\hspms.mdb"
    conStudent.Open()

    comStudent.CommandText = "UPDATE AdmitPt SET ID =" & ID & ", Bedcategory='" & BedType & "', BedNo=" & BedNo & ", BedCharges=" & Charges & ", PtName='" & PatName & "', PtAge=" & PatAge & ", Address='" & PatAddr & "', PhoneNo='" & Phone & "', Dates='" & CheckupDate & "', Disease='" & Disease & "', BloodGroup='" & BloodGroup & "', Doctor='" & Doctor & "', Remarks='" & Remarks & "' WHERE ID=" & RegNo

    comStudent.Connection = conStudent

    comStudent.CommandType = CommandType.Text

    If (comStudent.ExecuteNonQuery() > 0) Then
        MsgBox("record successfully updated")
    End If

    conStudent.Close()

一件事,以 ID、BedNo、BedCharges、Age 命名的字段设置为 Number 作为数据类型。

4

1 回答 1

0

首先,切换到参数化查询。这将消除 Sql Injection 的任何可能性,但也避免了引用字符串、解析十进制数字和日期的问题

Dim conString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=F:\DBProject\hspms.mdb"
Dim cmdText =   "UPDATE AdmitPt SET ID =?, Bedcategory=?, BedNo=?, BedCharges=?, " & _
                "PtName=?, PtAge=?, Address=?, PhoneNo=?, Dates=?, Disease=?, " & _
                "BloodGroup=?, Doctor=?, Remarks=? WHERE ID=?"
Using conStudent = new OleDbConnection(conString)
Using comStudent = new OleDbCommand(cmdText, conStudent)
     conStudent.Open()
     comStudent.Parameters.AddWithValue("@p1", Convert.ToInt32(ID))
     comStudent.Parameters.AddWithValue("@p2", BedType)
     comStudent.Parameters.AddWithValue("@p3", Convert.ToInt32(BedNo))
     comStudent.Parameters.AddWithValue("@p4", Convert.ToDecimal(Charges))
     .... and so on for every other question marks in the cmdText ....
     .... respecting the exact order of the fields ...................
     .... try also to pass the correct datatype for every non string field
    If (comStudent.ExecuteNonQuery() > 0) Then
        MsgBox("record successfully updated")
    End If
End Using
End Using
于 2013-09-27T07:47:00.527 回答