晚上好,
我正在使用以下内容尝试更新MySQL数据库中的记录,但记录没有更新,我也没有发现任何异常。非常感谢您的帮助:
dbConn = New MySqlConnection("Server=" & FormLogin.ComboBoxServerIP.SelectedItem & ";Port=3306;Uid=trojan;Password=horse;Database=accounting")
Try
If dbConn.State = ConnectionState.Open Then
dbConn.Close()
Else
Try
dbConn.Open()
Dim dbAdapter As New MySqlDataAdapter("UPDATE customer " & _
"SET accountNumber= '" & TextBoxAccount.Text & "', nameLAST='" & TextBoxLastName.Text & "', nameFIRST='" & TextBoxFirstName.Text & "'" & _
"nameSALUTATION='" & ComboBoxSalutation.SelectedItem & "', nameCOMPANY='" & TextBoxCompanyName.Text & "', addressSTREET='" & TextBoxAddress1.Text & "'" & _
"addressSTREET1='" & TextBoxAddress2.Text & "', addressCITY='" & TextBoxCity.Text & "', addressSTATE='" & ComboBoxState.SelectedItem & "'" & _
"addressZIPCODE='" & MaskedTextBoxZip.Text & "', phone='" & MaskedTextBoxPhone.Text & "', fax='" & MaskedTextBoxFax.Text & "', email='" & TextBoxEmail.Text & "'" & _
"WHERE accountNumber='" & TextBoxAccount.Text & "';", dbConn)
Catch ex As Exception
MessageBox.Show("A DATABASE ERROR HAS OCCURED" & vbCrLf & vbCrLf & ex.Message & vbCrLf & _
vbCrLf + "Please report this to the IT/Systems Helpdesk at Ext 131.")
End Try
MessageBox.Show("Customer account SUCCESSFULLY updated!")
Call lockForm()
End If
Catch ex As Exception
MessageBox.Show("A DATABASE ERROR HAS OCCURED" & vbCrLf & vbCrLf & ex.Message & vbCrLf & _
vbCrLf + "Please report this to the IT/Systems Helpdesk at Ext 131.")
End Try
Call lockForm()
dbConn.Close()
答案 0 :(得分:3)
使用MySQLCommand代替MySQLDataAdapter。您正在击败使用ADONet的目的,因为您的代码仍然易受sql注入攻击。使其参数化。以下是代码中的修改代码。它使用Using-End Using来正确处理对象处理。
Dim ConnectionString As String ="Server=" & FormLogin.ComboBoxServerIP.SelectedItem & ";Port=3306;Uid=trojan;Password=horse;Database=accounting"
Dim iQuery As String = "UPDATE customer " & _
"SET accountNumber = @accountNumber, nameLAST = @nameLAST, nameFIRST = @nameFIRST, " & _
" nameSALUTATION = @nameSALUTATION, nameCOMPANY = @nameCOMPANY, addressSTREET = @addressSTREET, " & _
" addressSTREET1 = @addressSTREET1, addressCITY = @addressCITY, addressSTATE = @addressSTATE, " & _
" addressZIPCODE = @addressZIPCODE, phone = @phone, fax = @fax, email = @email " & _
"WHERE accountNumber = @accountNumber"
Using dbConn As New MySqlConnection(ConnectionString)
Using dbComm As New MySQLCommand()
With dbComm
.Connection = dbConn
.CommandType = CommandType.Text
.CommandText = iQuery
.Parameters.AddWithValue("@accountNumber", TextBoxAccount.Text )
.Parameters.AddWithValue("@nameLAST", TextBoxLastName.Text)
.Parameters.AddWithValue("@nameFIRST", TextBoxFirstName.Text)
.Parameters.AddWithValue("@nameSALUTATION", ComboBoxSalutation.SelectedItem)
.Parameters.AddWithValue("@nameCOMPANY", TextBoxCompanyName.Text)
.Parameters.AddWithValue("@addressSTREET", TextBoxAddress1.Text)
.Parameters.AddWithValue("@addressSTREET1", TextBoxAddress2.Text)
.Parameters.AddWithValue("@addressCITY", TextBoxCity.Text)
.Parameters.AddWithValue("@addressSTATE", ComboBoxState.SelectedItem)
.Parameters.AddWithValue("@addressZIPCODE", MaskedTextBoxZip.Text)
.Parameters.AddWithValue("@phone", MaskedTextBoxPhone.Text)
.Parameters.AddWithValue("@fax", MaskedTextBoxFax.Text)
.Parameters.AddWithValue("@email", TextBoxEmail.Text)
End With
Try
dbConn.Open
dbComm.ExecuteNonQuery()
MessageBox.Show("Customer account SUCCESSFULLY updated!")
Call lockForm()
Catch( ex as MySQLException)
MessageBox.Show("A DATABASE ERROR HAS OCCURED" & vbCrLf & vbCrLf & ex.Message & vbCrLf & _
vbCrLf + "Please report this to the IT/Systems Helpdesk at Ext 131.")
Finally
dbConn.Close()
End Try
End Using
End Using
答案 1 :(得分:1)
在这种情况下,我会使用ExecuteNonQuery,因为您不能像尝试使用它一样使用MySQLDataAdapter。另外请使用参数,因为你正在做的事情打开你的SQL注入攻击。最后,您不需要更新accountNumber,因为您正在使用它来查找要更新的行!