1

以下是用于将 datagridview 项目输入表的代码。

    Dim X As DataGridViewRow

    grnno = 123123
    glocation = txtlocation.Text
    gsupplier = txtsupplier.Text
    greceivedby = txtreceivedby.Text
    greceiveddate = txtreceiveddate.Text
    grn_status = cmbstatus.SelectedItem
    ggrossamt = txtgrossamt.Text
    gdiscountamount = txtdiscount.Text
    gtotalnetamount = txttotalnet.Text
    sqlstr = "INSERT INTO POS_GRN_HDR(loc_code,supplier_code,created_by,created_Date,grn_status,gross_amt,disc_Amt,net_Amt) values('" & glocation & "','" & gsupplier & "','" & greceivedby & "','" & greceiveddate & "','" & grn_status & "'," & ggrossamt & "," & gdiscountamount & "," & gtotalnetamount & " )"
    sqlcmd = New SqlClient.SqlCommand(sqlstr, AppsCon)
    sqlcmd.ExecuteNonQuery()
    For Each X In datagridItems.Rows

        sqlstr = "INSERT INTO POS_GRN_DTL(GRN_KEY,ITEM_CODE,DESCRIPTION,TYPE,UOM,BATCH_NO,EXPIRY_DATE,RECEIVED_QTY,UNIT_PRICE,AMOUNT,DISCOUNT,NET_AMOUNT) VALUES('" & grnno & "','" & X.Cells(0).Value & "','" & X.Cells(1).Value & "','" & X.Cells(2).Value & "','" & X.Cells(3).Value & "','" & X.Cells(4).Value & "','" & X.Cells(5).Value & "','" & X.Cells(6).Value & "','" & X.Cells(7).Value & "' ,'" & X.Cells(8).Value & "','" & X.Cells(9).Value & "','" & X.Cells(10).Value & "')"
        sqlcmd = New SqlClient.SqlCommand(sqlstr, AppsCon)
        sqlcmd.ExecuteNonQuery()
    Next

错误出现在第二个插入语句中,它给出了错误不能将字符串转换为整数.. x.cell(6) 中的单元格是整数类型,在数据库中也是整数类型,现在我想问我是否应该将其包含在单引号与否,因为用单引号括起来会给出语法 '' 之类的错误,而在双引号中会给出无法将字符串转换为 int 类型的错误。请告诉我哪里做错了。

4

2 回答 2

1

首先使用参数化查询!它更安全,也更具可读性。您将一些值作为字符串传递,但应该是整数。

sqlstr = "INSERT INTO POS_GRN_HDR(loc_code,supplier_code,created_by,created_Date,grn_status,gross_amt,disc_Amt,net_Amt) _
values(@glocation, @gsupplier, @greceivedby, @greceiveddate, @grn_status, @ggrossamt, @gdiscountamount, @gtotalnetamount)"

sqlcmd = New SqlClient.SqlCommand(sqlstr, AppsCon)
sqlcmd.Parameters.AddWithValue("@glocation", glocation) 
sqlcmd.Parameters.AddWithValue("@gsupplier", gsupplier) //and so on


For Each X In datagridItems.Rows

  sqlstr = "INSERT INTO POS_GRN_DTL(GRN_KEY,ITEM_CODE,DESCRIPTION,TYPE,UOM,BATCH_NO,EXPIRY_DATE,RECEIVED_QTY,UNIT_PRICE,AMOUNT,DISCOUNT,NET_AMOUNT) _
            VALUES(@grnno, @item_code, @description, ...)"

  sqlcmd = New SqlClient.SqlCommand(sqlstr, AppsCon)
  sqlcmd.Parameters.AddWithValue("@grnno", grnno)
  sqlcmd.Parameters.AddWithValue("@item_code", CType(X.Cells(0).Value, Integer)) //cast to proper type      

  sqlcmd.ExecuteNonQuery()

Next
于 2013-10-08T07:24:56.170 回答
0

去掉单引号 ''

例如(并且根据您的帖子仅引用 x.cell(6) )使用" & X.Cells(6).Value & " 

    sqlstr = "INSERT INTO POS_GRN_DTL(GRN_KEY,ITEM_CODE,DESCRIPTION,TYPE,UOM,BATCH_NO,EXPIRY_DATE,RECEIVED_QTY,UNIT_PRICE,AMOUNT,DISCOUNT,NET_AMOUNT) VALUES('" & grnno & "','" & X.Cells(0).Value & "','" & X.Cells(1).Value & "','" & X.Cells(2).Value & "','" & X.Cells(3).Value & "','" & X.Cells(4).Value & "','" & X.Cells(5).Value & "', " & X.Cells(6).Value & ",'" & X.Cells(7).Value & "' ,'" & X.Cells(8).Value & "','" & X.Cells(9).Value & "','" & X.Cells(10).Value & "')"

您可能还需要转换(假设它总是会有一个数值)

" & CInt(X.Cells(6).Value) &"

我假设您知道 SQL 注入,并且这种更新数据库的方法现在通常“过时”和“不好的做法”,您应该改用参数...

更新

由于有可能为空(在这种情况下您希望它为 0),您可以使用类似的东西(未测试,因为我不是 VB 人)

dim cellSix as integer
if IsNothing(X.Cells(6).Value then 
    cellSix = 0
else
    cellSix = CInt(X.Cells(6).Value)
end if

sqlstr = "INSERT INTO POS_GRN_DTL(GRN_KEY,ITEM_CODE,DESCRIPTION,TYPE,UOM,BATCH_NO,EXPIRY_DATE,RECEIVED_QTY,UNIT_PRICE,AMOUNT,DISCOUNT,NET_AMOUNT) VALUES('" & grnno & "','" & X.Cells(0).Value & "','" & X.Cells(1).Value & "','" & X.Cells(2).Value & "','" & X.Cells(3).Value & "','" & X.Cells(4).Value & "','" & X.Cells(5).Value & "', " & cellSix & ",'" & X.Cells(7).Value & "' ,'" & X.Cells(8).Value & "','" & X.Cells(9).Value & "','" & X.Cells(10).Value & "')"

或者,为了使代码更短,您可以使用 IIF

cellSix = IIf(isnothing(CInt(X.Cells(6).Value)), 0,  CInt(X.Cells(6).Value))
于 2013-10-08T07:18:32.460 回答