我一直在努力解决这个问题几天,并且无法找出以下代码的错误。当我单击按钮进行更新时,不会更新任何内容。顺便说一句,我使用html表来显示客户的信息,然后使用表中的那些文本框来更新字段。但SQL Update语句不起作用。这是代码:
Protected Sub btnUpdate_Click(sender As Object, e As System.EventArgs) Handles btnUpdate.Click
Dim myConnection As OleDbConnection
Dim myCommand As OleDbCommand
Dim ID As Integer
Dim mySQLString As String, strFirstName As String, strLastName As String, strPhone As String, strEmail, strComment As String, Employee As String, DateCalled, TimeCalled, DateEdited As datetime
myConnection = New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source=\wfccdb\datagridview\app_data\t3corp.mdb;")
myConnection.Open()
ID = Request.QueryString.Item("r")
Employee = tbEMP.Text
strFirstName = tbFname.Text
strLastName = tbLname.Text
strPhone = tbPhone.Text
strEmail = tbEmail.Text
DateCalled = Convert.ToDateTime(tbDateCalled.Text)
TimeCalled = Convert.ToDateTime(tbTimeCalled.Text)
strComment = tbComment.Text
DateEdited = Now
mySQLString = "UPDATE customers SET Employee='" + Employee + "', FirstName='" + strFirstName + "', LastName='" + strLastName + "', Phone='" + strPhone + "', Email='" + strEmail + "', DateCalled='" + DateCalled + "', " + _
"TimeCalled='" + TimeCalled + "', Comment='" + strComment + "', DateEdited='" + DateEdited + "' WHERE ReferenceID=" & Val(ID) & ""
myCommand = New OleDbCommand
myCommand.Connection = myConnection
myCommand.CommandText = mySQLString
myCommand.ExecuteNonQuery()
myConnection.Close()
Response.Redirect("ViewEditRecords.aspx?r=" + Request.QueryString.Item("r"))
End Sub
答案 0 :(得分:1)
首先,你真的应该使用参数化查询 - 这很容易受到SQL注入。
话虽如此,我认为至少你的DateTime字段存在问题 - 插入MS Access DateTime字段的正确方法应该是#Date# - 你的查询将那些插入为赢得的字符串'在Access中工作。
此外,如果您的任何字段中包含撇号,这也会中断 - 使用参数化查询的另一个原因。
希望这有点帮助。
祝你好运。答案 1 :(得分:1)
您的更新SQL字符串包含一些问题。让我们从头开始。
mySQLString = "UPDATE customers SET Employee='" + Employee + "', FirstName='" + strFirstName + "', LastName='" + strLastName + "', Phone='" + strPhone + "', Email='" + strEmail + "', DateCalled='" + DateCalled + "', " + _
"TimeCalled='" + TimeCalled + "', Comment='" + strComment + "', DateEdited='" + DateEdited + "' WHERE ReferenceID=" & Val(ID) & ""
首先,请注意您尝试分配DateCalled,TimeCalled,DateEdited的三个日期/时间值。我假设它们是Access表中的实际日期值。在这种情况下,您需要为列构造update语句,如下所示:
".... DateCalled=#" + tbDateCalled.Text + "# ...."
(您需要用#包围日期值)。为TimeCalled也这样做。
现在,看看你的"' WHERE ReferenceID=" & Val(ID) & ""
。如果你检查VAL函数做了什么,它正在做相反的事情:将字符串转换为数字。因此,在您的情况下,您需要使用(删除& ""
,因为不需要它):
"' WHERE ReferenceID=" & CStr(ID)
最后,为什么不在调用myCommand.ExecuteNonQuery()
后检查错误字符串。我很确定Access会告诉你错误是什么
因此,要合并sgeddes的建议,您的最终SQL字符串应如下所示:
Employee = Replace(Employee, "''", "'")
Employee = Replace(Employee, "'", "''")
Do this for first name, last name, phone, comment and email to minimise the threat of SQL injections
mySQLString = "UPDATE customers SET Employee='" & Employee & "', FirstName='" & strFirstName & "', LastName='" & strLastName & "', Phone='" & strPhone & "', Email='" & strEmail & "', DateCalled=#" & tbDateCalled.Text & "#, " + _
"TimeCalled=#" & tbTimeCalled.Text & "#, Comment='" & strComment & "', DateEdited=Now() WHERE ReferenceID=" & CStr(ID)