从表单插入记录数据库

时间:2014-02-26 21:16:27

标签: c# sql ms-access

我有一个Access DB连接到我的表单与该代码(C#):

System.Data.OleDb.OleDbConnection conn = new System.Data.OleDb.OleDbConnection();
conn.ConnectionString = @"Provider=Microsoft.Jet.OLEDB.4.0;Data source= Z:\Tempesta\Area Progetto\Area_Progetto_20_02_2014\Area_Progetto_DATA_MAGAZINE\Data_Magazine\Data_Magazine\DB\DataMG.mdb";
try
{
    System.Data.OleDb.OleDbCommand cmd = new System.Data.OleDb.OleDbCommand();
    cmd.CommandType = System.Data.CommandType.Text;
    cmd.CommandText = "INSERT into Prodotti ([Codice],[Descrizione],[Marchio],[Deposito],[Note],[NumeroProdotti],[PrzListinoBase_Aq],[PrzListinoBase_Ve],[Categoria],[Posizione],[Disponibilita],[QtaVenduta],[QtaAcquistata]) VALUES ('" + this.Codice.Text + "','" + this.Descr.Text + "','" + this.Marchio.Text + "','" + this.Deposito.Text + "'," + this.Note.Text + "," + this.NumProd.Text + "," + this.PrzListAcq.Text + "," + this.PrzListVen.Text + ",'" + this.Categ.Text + "','" + this.Posiz.Text + "'," + this.Disp.Text + "," + this.QtaVen.Text + "," + this.QtaAcq.Text + ")";
    cmd.Connection = conn;
    conn.Open();
    cmd.ExecuteNonQuery();
    conn.Close(); 
}
catch(Exception ex)
{
    MessageBox.Show(ex.ToString());
    // MessageBox.Show("Connessione Fallita!");
    conn.Close();
}
finally
{
    conn.Close();
}

点击按钮时我得到的错误就是这个:

Error

有什么想法吗?

5 个答案:

答案 0 :(得分:0)

我不知道意大利语(即使是语言?:))但从外观上看它很可能是文化设置问题。例如,如果您的某个字段是数字,则数据库可能需要与UI中使用的小数点分隔符不同的小数点分隔符。

此外,您的实际设计似乎非常容易受到SQL注入攻击。

由于这些原因,我的建议是你使用命令的Parameters集合来设置你的值,而不是试图传入连接的字符串。

答案 1 :(得分:0)

我没有阅读您发布错误的语言,但是,SqlCommand中某处出现语法错误。

我建议首先在using块中包装你的连接和命令,以确保它们被正确处理掉。

然后始终用户参数化SQL命令以避免SQL注入:

using (var conn = new System.Data.OleDb.OleDbConnection(@"Provider=Microsoft.Jet.OLEDB.4.0;Data source= Z:\Tempesta\Area Progetto\Area_Progetto_20_02_2014\Area_Progetto_DATA_MAGAZINE\Data_Magazine\Data_Magazine\DB\DataMG.mdb"))
using (var cmd = new System.Data.OleDb.OleDbCommand())
{
    cmd.CommandText = "INSERT INTO TableName (column1, column2, column3) VALUES (@Value1, @Value2, @Value3)";
    cmd.Parameters.AddWithValue("@Value1", this.TextBox1.Text);
    cmd.Parameters.AddWithValue("@Value2", this.TextBox2.Text);
    cmd.Parameters.AddWithValue("@Value3", this.TextBox3.Text);

    conn.Open();
    cmd.ExecuteNonQuery();
}

一般来说,使用参数可以消除语法错误,因为它使命令更容易阅读它的字符串表示。

答案 2 :(得分:0)

您在插入语句中缺少单引号,您要为列分配值。你的代码是易受攻击的,所以应该避免这个是一个有用的链接。 Are Parameters really enough to prevent Sql injections?

System.Data.OleDb.OleDbConnection conn = new System.Data.OleDb.OleDbConnection();
conn.ConnectionString = @"Provider=Microsoft.Jet.OLEDB.4.0;Data source= Z:\Tempesta\Area    Progetto\Area_Progetto_20_02_2014\Area_Progetto_DATA_MAGAZINE\Data_Magazine\Data_Magazine\DB    \DataMG.mdb";
try
{
     System.Data.OleDb.OleDbCommand cmd = new System.Data.OleDb.OleDbCommand();
     cmd.CommandType = System.Data.CommandType.Text;
     cmd.CommandText = "INSERT into Prodotti (Codice,Descrizione,Marchio,Deposito,Note,NumeroProdotti,PrzListinoBase_Aq,PrzListinoBase_Ve,Categoria,Posizione,Disponibilita,QtaVenduta,QtaAcquistata) VALUES('" + this.Codice.Text + "','" +  this.Descr.Text + "','" + this.Marchio.Text + "','" + this.Deposito.Text + "','" +  this.Note.Text + "','" + this.NumProd.Text + "','" + this.PrzListAcq.Text + "','" +  this.PrzListVen.Text + "','" + this.Categ.Text + "','" + this.Posiz.Text + "','" +  this.Disp.Text + "','" + this.QtaVen.Text + "','" + this.QtaAcq.Text + "')";
     conn.Open();
     cmd.Connection = conn;
     cmd.ExecuteNonQuery();
     conn.Close(); 
}
catch(Exception ex)
{
    MessageBox.Show(ex.ToString());
    // MessageBox.Show("Connessione Fallita!");
    conn.Close();
}
finally
{
   conn.Close();
}

答案 3 :(得分:0)

我认为你的INSERT语句中的某些文本限定符可能缺少单引号。

"INSERT into Prodotti ([Codice],[Descrizione],[Marchio],[Deposito],[Note],[NumeroProdotti],[PrzListinoBase_Aq],[PrzListinoBase_Ve],[Categoria],[Posizione],[Disponibilita],[QtaVenduta],[QtaAcquistata]) VALUES ('" + this.Codice.Text + "','" + this.Descr.Text + "','" + this.Marchio.Text + "','" + this.Deposito.Text + "'," + this.Note.Text + "," + this.NumProd.Text + "," + this.PrzListAcq.Text + "," + this.PrzListVen.Text + ",'" + this.Categ.Text + "','" + this.Posiz.Text + "'," + this.Disp.Text + "," + this.QtaVen.Text + "," + this.QtaAcq.Text + ")";

考虑使用参数化查询,而不是手动构建查询字符串。它不仅更安全,而且可以帮助清除这些可能很难调试的错误。

例如

String StrSQL = "INSERT INTO tblLog ([Part_Number],[Quantity],[Date],[LOC_Warehouse],[LOC_Row],[LOC_Section],[LOC_Level],[LOC_Bin],[Stock_Added],[Stock_Removed],[Quarantine_Set],[Quarantine_Removed])"
              + "VALUES(@Part_Number, @Quantity, @Date, @Warehouse, @Row, @Section, @Level, @Bin, @Stock_Added, @Stock_Removed, @Quarantine_Set, @Quarantine_Removed)";
SqlConnection conn = new SqlConnection(WHITS.Properties.Settings.Default.LocalConnStr);
SqlCommand cmd = new SqlCommand(StrSQL, conn);
cmd.Parameters.AddWithValue("@Part_Number", Part_Number);
cmd.Parameters.AddWithValue("@Quantity", Quantity);
cmd.Parameters.AddWithValue("@Date", DateTime.Now);
//More Parameters... Skipped for brevity.
conn.Open();
cmd.ExecuteNonQuery();
conn.Close();

答案 4 :(得分:0)

提前打开您的连接。另外,使用“使用”。我就是这样做的:

try
{
    string connectionString = @"Provider=Microsoft.Jet.OLEDB.4.0;Data source= Z:\Tempesta\Area Progetto\Area_Progetto_20_02_2014\Area_Progetto_DATA_MAGAZINE\Data_Magazine\Data_Magazine\DB\DataMG.mdb";

    using (System.Data.OleDb.OleDbConnection conn = new System.Data.OleDb.OleDbConnection(connectionString))
    {
        conn.Open();
        string insertQuery = "INSERT into Prodotti ([Codice],[Descrizione],[Marchio],[Deposito],[Note],[NumeroProdotti],[PrzListinoBase_Aq],[PrzListinoBase_Ve],[Categoria],[Posizione],[Disponibilita],[QtaVenduta],[QtaAcquistata]) VALUES ('" + this.Codice.Text + "','" + this.Descr.Text + "','" + this.Marchio.Text + "','" + this.Deposito.Text + "'," + this.Note.Text + "," + this.NumProd.Text + "," + this.PrzListAcq.Text + "," + this.PrzListVen.Text + ",'" + this.Categ.Text + "','" + this.Posiz.Text + "'," + this.Disp.Text + "," + this.QtaVen.Text + "," + this.QtaAcq.Text + ")";
        System.Data.OleDb.OleDbCommand cmd = new System.Data.OleDb.OleDbCommand(insertQuery, conn);
        cmd.CommandType = System.Data.CommandType.Text;
        cmd.ExecuteNonQuery();
        conn.Close(); 
    }
}

编辑:我的错...我引用的代码是填充DataAdapter,它不需要调用connection.Open()。定期查询。道歉......我已经编辑了我的建议。