将字符串变量插入vb.net中的sql字符串

时间:2013-01-16 14:29:25

标签: sql-server-2008 vb.net-2010

我很难将WONum插入到我的sql字符串中。 我试过在WONum周围使用'和double'。有人还提出了#和[],但到目前为止还没有任何工作。

我一直收到以下错误:'1577'附近的语法错误

WONum值在运行时实际上是WO-1577,但是当执行DA.fill时我得到了那个错误。我开始认为破折号在sql中做了一些我不知道的事情。任何帮助都会有所帮助,因为我必须在我的应用程序中执行几个类似的功能。

Public Function GetTechTimes(ByVal WONum As String)

    Dim strSQL As String = "Select customer_name, workorder_work_to_be_performed, workorder_work_performed, workorder_notes, workorder_warranty_work, workorder_open_date, workorder_status,workorder_completion_date, wo_tech_name, wo_tech_time, wo_parts_description from Customers, workorders, WorkOrder_Technicians, WorkOrder_Parts Where(customer_id = workorder_customer And wo_tech_wo_id = workorder_id And wo_parts_wo_id = workorder_id And workorder_number = " & WONum & ""
    Dim DA As New SqlDataAdapter(strSQL, Conn)
    Dim DS As New DataSet
    DA.Fill(DS, "TechTimes")
    Return DS
End Function

2 个答案:

答案 0 :(得分:5)

使用Sql-Parameters!这将避免转换或其他问题 - 更重要的是 - 阻止SQL-Injection attacks

Public Function GetTechTimes(ByVal WONum As String) As DataSet
    Dim strSQL As String = "SELECT customer_name, " & Environment.NewLine & _
    "workorder_work_to_be_performed," & Environment.NewLine & _
    "workorder_work_performed, " & Environment.NewLine & _
    "workorder_notes, " & Environment.NewLine & _
    "workorder_warranty_work, " & Environment.NewLine & _
    "workorder_open_date, " & Environment.NewLine & _
    "workorder_status, " & Environment.NewLine & _
    "workorder_completion_date," & Environment.NewLine & _
    "wo_tech_name, " & Environment.NewLine & _
    "wo_tech_time, " & Environment.NewLine & _
    "wo_parts_description" & Environment.NewLine & _
    "FROM(customers," & Environment.NewLine & _
    "       workorders," & Environment.NewLine & _
    "       workorder_technicians," & Environment.NewLine & _
    "       workorder_parts)" & Environment.NewLine & _
    "WHERE customer_id = workorder_customer " & Environment.NewLine & _
    "AND wo_tech_wo_id = workorder_id " & Environment.NewLine & _
    "AND wo_parts_wo_id = workorder_id " & Environment.NewLine & _
    "AND workorder_number = @workorder_number "

    Using con = New SqlConnection(YourConnectionString)
        Using da = New SqlDataAdapter(strSQL, con)
            da.SelectCommand.Parameters.AddWithValue("@workorder_number", WONum)
            Dim DS As New DataSet
            da.Fill(DS)
            Return DS
        End Using
    End Using
End Function

请注意,我还使用了Using - 语句,以确保即使在异常的情况下所有语句也会被弃用。

再见,你的例外原因是:你在这里有一个左大括号:Where(customer_id从未关闭。

答案 1 :(得分:0)

只要workorder_number是一个字符串,那么就可以在WONum周围放置单引号。

您不需要#或方括号。

如果不使用单引号,请确保您已正确识别/隔离问题。从sql的末尾删除And workorder_number = " & WONum & "",看看它是否可以正常工作。如果没有,那么你的问题不在WONum中,它在字符串的早期。

相关问题
最新问题