我正在尝试使用VB按钮将数据插入数据库,但它会不断显示我为异常而生成的错误消息。
有人可以帮我解释为什么不更新数据库吗?
Protected Sub Button1_Click(sender As Object, e As System.EventArgs) Handles Button1.Click
Dim connetionString As String
Dim sqlCnn As SqlConnection
Dim sql As String
Dim adapter As New SqlDataAdapter
Dim Customer As String = TextBox1.Text
Dim Product As String = TextBox2.Text
Dim Location As String = TextBox3.Text
Dim Details As String = TextBox4.Text
Dim Owners As String = DropDownList1.Text
Dim Urgency As String = DropDownList2.Text
connetionString = "Data Source=ZUK55APP02;Initial Catalog=BugFixPortal;User ID=SLC***;Password=rep***"
sql = "INSERT INTO Requests (Owner, Customer, Product, Location, Urgency, Details) VALUES ('" & Owners & ", " & Customer & ", " & Product & ", " & Location & ", " & Urgency & ", " & Details & "')"
sqlCnn = New SqlConnection(connetionString)
Try
sqlCnn.Open()
adapter.UpdateCommand = sqlCnn.CreateCommand
adapter.UpdateCommand.CommandText = sql
adapter.UpdateCommand.ExecuteNonQuery()
sqlCnn.Close()
Catch ex As Exception
MsgBox("Unable to update Database with Request - Please speak to Supervisor!")
End Try
End Sub
答案 0 :(得分:2)
我不会走这条路,因为你的代码弱于SQL注入
你应该使用参数。如下所示
c.Open();
string insertString = @"insert into YourTable(name, street, city,....) values(@par1, @par2, @parN,....)"
SqlCommand cmd = new SqlCeCommand(insertString, c);
cmd.Parameters.Add("@par1", SqlDbType.VarChar).Value = "MyName";
//etc
cmd.ExecuteNonQuery();
c.Close();
答案 1 :(得分:1)
您错误地引用了您的值。
此字符串在所有值周围都有一个开始和结束的单引号,这是不正确的。
VALUES ('" & Owners & ", " & Customer & ", " & Product & ", " & Location & ", " & Urgency & ", " & Details & "')"
相反,在字符数据周围放置单引号,例如,如果Product是varchar,它将如下所示:
VALUES (" & Owners & ", " & Customer & ", '" & Product & "', " & Location & ", " & Urgency & ", " & Details & ")"
真正的问题是,您应该使用参数化查询。此代码容易受到SQL注入攻击。
答案 2 :(得分:1)
改变这一点;
MsgBox("Unable to update Database with Request - Please speak to Supervisor!")
这样的事情;
MsgBox("Unable to update Database with Request - Please speak to Supervisor!" & ex.Message)
它将为您提供有关异常的更多详细信息,但是快速浏览一下我可以看到一个问题,您尝试插入的值是字符串,您已将所有值包含在一组'字符中,而不是而不是将每个字符串参数包含在一对'值中,即
sql = "INSERT INTO Requests (Owner, Customer, Product, Location, Urgency, Details) VALUES ('" & Owners & "', '" & Customer & "', '" & Product & "',' " & Location & "', '" & Urgency & "', '" & Details & "')"
答案 3 :(得分:1)
当您对SQL注入攻击持开放态度时,您真的应该考虑参数化您的查询。请参阅HERE
就代码本身而言,您的SQL语法错误,因为您需要在每个值周围放置撇号。试试这个:
sql = "INSERT INTO Requests (Owner, Customer, Product, Location, Urgency, Details)
VALUES ('" & Owners & "', '" & Customer & "', '" & Product &
"', '" & Location & "', '" & Urgency & "', '" & Details & "')"
以下是使用参数
的示例sql = "INSERT INTO Requests (Owner, Customer, Product, Location, Urgency, Details)
VALUES ('@Owners', '@Customer', '@Product', '@Location', '@Urgency', '@Details')"
然后添加如下参数:
command.Parameters.AddWithValue("@Owners", Owners)
command.Parameters.AddWithValue("@Customer", Customer)
command.Parameters.AddWithValue("@Product", Product)
command.Parameters.AddWithValue("@Location", Location)
command.Parameters.AddWithValue("@Urgency", Urgency)
command.Parameters.AddWithValue("@Details", Details)
答案 4 :(得分:0)
我认为您要使用adapter.InsertCommand代替adapter.UpdateCommand
in
Try
sqlCnn.Open()
adapter.UpdateCommand = sqlCnn.CreateCommand //(adapter.InsertCommand)
adapter.UpdateCommand.CommandText = sql //(adapter.InsertCommand)
adapter.UpdateCommand.ExecuteNonQuery() //(adapter.InsertCommand)
sqlCnn.Close()
Catch ex As Exception
MsgBox("Unable to update Database with Request - Please speak to Supervisor!")
End Try
并同意参数化的SQL查询
有关更多信息,请参阅http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqldataadapter.aspx