VB.net更新查询没有给出错误,也没有更新我的sql数据库

时间:2012-12-18 22:02:06

标签: mysql vb.net

Dim conntps As MySqlConnection
Dim myconnstringtps As String
conntps = New MySqlConnection()
Dim mycommand As New MySqlCommand
Dim Updatepayments As String = "update payments set payments.payorname='" & _
    epayorname.Text & "', payments.cardnumber='" & eccnumber.Text & _
    "', payments.bankname='" & ebankname.Text & "', payments.checkaccountnumber='" & _
    eaccountnumber.Text & "', payments.checkroutingnumber='" & _
    erouting.Text & "', payments.cardexpirationdate='" & eexpmonth.Text & "/" & _
    eexpireyear.Text & "', payments.cardexpirationmonth='" & _
    eexpmonth.Text & "', payments.cardexpirationyear='" & eexpireyear.Text & _
    "', payments.cardaddress='" & eaddy.Text & "', payments.cardzipcode='" & _
    ezip.Text & "', payments.threedigitnumber='" & ecvv.Text & _
    "' where payments.filenumber='" & TextBox1.Text & "' and paymentstatus='PENDING';"
myconnstringtps = "server=localhost; user id=root; " & _
                  "password=1C0cac0la; database=collectionsmax"
Try
    conntps.Open()
    Try
        mycommand.Connection = conntps
        mycommand.CommandText = Updatepayments
        mycommand.ExecuteNonQuery()
        conntps.Close()
        mycommand.Dispose()
    Catch myerror As MySqlException
        MsgBox("error connecting:" & myerror.Message)
    End Try
Catch myerror As MySqlException
    MsgBox("error connecting:" & myerror.Message)
Finally
    If conntps.State <> ConnectionState.Closed Then conntps.Close()
    MsgBox("Successfully Changed")
End Try

尝试运行代码时,我没有收到任何错误或异常。

我试图将生成的更新查询输出到文本框并通过mysql管理工作室运行代码,它完美地运行。所以我很确定它不是发送到服务器的实际查询的问题。

我几乎使用了完全相同的代码来插入语句而没有任何问题。

使用上面提到的代码在我的VB.net应用程序中运行代码时,它不会更新数据库。

2 个答案:

答案 0 :(得分:1)

您没有在MySqlConnection

中设置连接字符串
myconnstringtps = "server=localhost; user id=root; password=1C0cac0la;......"
conntps = New MySqlConnection(myconnstringtps)

除此之外,您需要使用参数化查询来避免字符串中的单引号问题以及Sql Injection Attack安全问题

Dim Updatepayments As String = "update payments " & _
    "set payments.payorname=@name," & _
    "payments.cardnumber=@cnum," & _
    "payments.bankname=@bank," & _
    "payments.checkaccountnumber=@actnum," & _
    "payments.checkroutingnumber=@routing," & _
    "payments.cardexpirationdate=@monthyear," & _
    "payments.cardexpirationmonth=@month," & _
    "payments.cardexpirationyear=@year," & _
    "payments.cardaddress=@address," & _
    "payments.cardzipcode=@zip," & _
    "payments.threedigitnumber=@digits " & _
    "where payments.filenumber=@file and paymentstatus='PENDING'"

Dim mycommand As New MySqlCommand(Updatepayments, conntps)
mycommand.Parameters.AddWithValue("@name", epayorname.Text)
mycommand.Parameters.AddWithValue("@cnum", eccnumber.Text)
mycommand.Parameters.AddWithValue("@bank", ebankname.Text)
mycommand.Parameters.AddWithValue("@actnum", eaccountnumber.Text);
mycommand.Parameters.AddWithValue("@routing", erouting.Text)
mycommand.Parameters.AddWithValue("@monthyear", eexpmonth.Text & "/" &  eexpireyear.Text)
mycommand.Parameters.AddWithValue("@month", eexpmonth.Text)
mycommand.Parameters.AddWithValue("@year", eexpireyear.Text)
mycommand.Parameters.AddWithValue("@address", eaddy.Text)
mycommand.Parameters.AddWithValue("@zip", ezip.Text)
mycommand.Parameters.AddWithValue("@digits", ecvv.Text)
mycommand.Parameters.AddWithValue("@file", TextBox1.Text)

其他有问题的一点:你确定你的字段都是字符串类型吗?您为每个字段传递一个字符串,并用单引号括起该值。如果您的字段中的某些人不是字符串类型,则可能会失败。 (特别是这些字段可能不是字符串类型 payments.cardnumber,payments.checkaccountnumber,payments.cardexpirationmonth,payments.cardexpirationyear,payments.threedigitnumber

答案 1 :(得分:0)

红色警报您显然在这里处理信用卡信息,但是您自己和您的客户容易受到SQL注入攻击!

您在公共互联网上发布的代码中也有密码!

(史蒂夫似乎有正确的答案。)