Question

我收到异常错误'无效的列名'

但如果在插入时使用整数正在接受。

请帮助我对vb .net

的新手

这是代码

Imports System
Imports System.Data
Imports System.Data.SqlClient


Public Class Student
    Dim cs As New SqlConnection("Data Source=.\SQLEXPRESS;AttachDbFilename=C:\Example\Student.mdf;Integrated Security=True;User Instance=True")
    Dim cmd As New SqlCommand
    Dim dr As SqlDataReader
    Private Sub Student_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
        'TODO: This line of code loads data into the 'StudentDataSet1.Student' table. You can move, or remove it, as needed.
        Me.StudentTableAdapter1.Fill(Me.StudentDataSet1.Student)
        'TODO: This line of code loads data into the 'StudentDataSet.Student' table. You can move, or remove it, as needed.
        Me.StudentTableAdapter.Fill(Me.StudentDataSet.Student)
        cmd.Connection = cs
    End Sub

    Private Sub StudentBindingNavigatorSaveItem_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles StudentBindingNavigatorSaveItem.Click
        Me.Validate()
        Me.StudentBindingSource.EndEdit()
        Me.TableAdapterManager.UpdateAll(Me.StudentDataSet)
    End Sub

    Private Sub btnAdd_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnAdd.Click
        StudentBindingSource.AddNew()
        USNTextBox.Focus()
    End Sub

    Private Sub btnSave_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnSave.Click
        Try
            Me.Validate()
            Me.StudentBindingSource.EndEdit()
            Me.TableAdapterManager.UpdateAll(Me.StudentDataSet)
            MsgBox("1 record is added")
        Catch ex As Exception
            System.Windows.Forms.MessageBox.Show(ex.Message)
        End Try
    End Sub
    Private Sub btnInsert_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnInsert.Click
        If USNTextBox.Text <> "" And NameTextBox.Text <> "" And MarksTextBox.Text <> "" Then
            cs.Open()
            cmd.CommandText = "INSERT INTO Student" & "(USN, Name, Marks)" & "VALUES (" & USNTextBox.Text & ", " & NameTextBox.Text & ", " & MarksTextBox.Text & ")"
            cmd.ExecuteNonQuery()
            cs.Close()

            USNTextBox.Text = ""
            NameTextBox.Text = ""
            MarksTextBox.Text = ""
        End If
    End Sub

End Class

Answer 1

您需要在撇号中包装文本列。但是，您应始终使用参数化查询来阻止sql注入。

所以而不是

cmd.CommandText = "INSERT INTO Student" & "(USN, Name, Marks)" & "VALUES (" & USNTextBox.Text & ", " & NameTextBox.Text & ", " & MarksTextBox.Text & ")"

这样：

Dim sql = "INSERT INTO Student(USN, Name, Marks)VALUES(@USN, @Name, @Marks)"
Using cs = New SqlConnection("Data Source=.\SQLEXPRESS;AttachDbFilename=C:\Example\Student.mdf;Integrated Security=True;User Instance=True")
    Using cmd = New SqlCommand(sql, cs)
        cmd.Parameters.AddWithValue("@USN", USNTextBox.Text)
        cmd.Parameters.AddWithValue("@Name", NameTextBox.Text)
        cmd.Parameters.AddWithValue("@Marks", Int32.Parse(MarksTextBox.Text))
        cs.Open()
        cmd.ExecuteNonQuery()
    End Using
End Using

（假设Marks是int列，否则删除Int32.Parse）

Answer 2

Tim的参数答案是正确的解决方案

但这就是你引用名字的方式如果它是char或nchar，则需要引用
这将打开SQL注入攻击

cmd.CommandText = "INSERT INTO Student" & "(USN, Name, Marks)" & "VALUES (" & USNTextBox.Text & ", '" & NameTextBox.Text & "', " & MarksTextBox.Text & ")"

SQL Server无效的列名异常

2 个答案: