VB .NET中更新查询中的语法错误

时间:2014-04-06 05:03:32

标签: sql vb.net ms-access

我正在尝试在VB .NET中运行SQL命令,但它在我的字符串变量中返回语法错误的错误消息,我自己无法弄清楚,因为这是我第一次使用SQL命令编程的经验具体信息是:

查询表达式中的语法错误(缺少运算符)'='045617123'。

其中“045617123”是存储在其中一个数据字段中的数据

有人可以帮我解决这个问题吗?谢谢

Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
    Dim constr As String = "Provider = Microsoft.ACE.OLEDB.12.0;" & "Data Source = C:\Users\JohnnyCheng\Documents\GradeBook.accdb"
    Dim conobj As New OleDb.OleDbConnection(constr)
    Dim da1 As New OleDb.OleDbDataAdapter()
    Dim da2 As New OleDb.OleDbDataAdapter()
    Dim sqlstr1 As String = ""
    Dim sqlstr2 As String = ""
    conobj.Open()
    For i As Integer = 0 To vt1.Rows.Count - 1
        sqlstr1 = "UPDATE Students SET LastName = '" & vt1.Rows(i)(1) & "', FirstName = '" & vt1.Rows(i)(2) & "', StreetAddress = '" & vt1.Rows(i)(3) & "', City = '" & vt1.Rows(i)(4) & "', State = '" & vt1.Rows(i)(5) & "', ZipCode = '" & vt1.Rows(i)(6) & "' WHERE = '" & vt1.Rows(i)(0) & "'"
        da1.UpdateCommand = New OleDb.OleDbCommand(sqlstr1, conobj)
        da1.UpdateCommand.ExecuteNonQuery()
    Next
    'For i As Integer = 0 To vt2.Rows.Count - 1
    'sqlstr2 = "UPDATE Grades SET FirstExam = " & vt2.Rows(i)(1) & ", SecondExam = " & vt2.Rows(i)(2) & ", FinalExam = " & vt2.Rows(i)(3) & "WHERE StID = " & vt1.Rows(i)(0)
    'da2.UpdateCommand = New OleDb.OleDbCommand(sqlstr2, conobj)
    'da2.UpdateCommand.ExecuteNonQuery()
    'Next
    conobj.Close()
End Sub

1 个答案:

答案 0 :(得分:0)

使用SqlParameters。如果您的某些数据字段包含' charachter,则sql查询会返回语法错误。或者用户可以创建Sql injection查询。

WHERE = '" & vt1.Rows(i)(0) & "'"中的语法错误没有列名必须与数据字段值相同

这里使用参数的示例:

Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
    Dim constr As String = "Provider = Microsoft.ACE.OLEDB.12.0;" & "Data Source = C:\Users\JohnnyCheng\Documents\GradeBook.accdb"

    Dim query as New StringBuilder()
    With query
        .AppendLine("UPDATE Students SET LastName = @LastName")
        .AppendLine(", FirstName = @FirstName")
        .AppendLine(", StreetAddress = @StreetAddress")
        .AppendLine(", City = @City")
        .AppendLine(", State  = @State")
        .AppendLine(", ZipCode = @ZipCode")
        .AppendLine("WHERE YourIDField = @ID;")
    End With
    Using conobj As New OleDb.OleDbConnection(constr)
        conobj.Open()
        Dim da1 As New OleDb.OleDbDataAdapter()
        For i As Integer = 0 To vt1.Rows.Count - 1
            Using updCommand As New OleDb.OleDbCommand(query.ToString(), New OleDb.OleDbConnection(""))
                updCommand.Parameters.AddWithValue("@LastName", vt1.Rows(i)(1)) 
                updCommand.Parameters.AddWithValue("@FirstName ", vt1.Rows(i)(2))
                updCommand.Parameters.AddWithValue("@StreetAddress ", vt1.Rows(i)(3))
                updCommand.Parameters.AddWithValue("@City ", vt1.Rows(i)(4))
                updCommand.Parameters.AddWithValue("@State ", vt1.Rows(i)(5))
                updCommand.Parameters.AddWithValue("@ZipCode", vt1.Rows(i)(6))
                updCommand.Parameters.AddWithValue("@ID", vt1.Rows(i)(0))
                da1.UpdateCommand = updCommand
                da1.UpdateCommand.ExecuteNonQuery()
            End Using
        Next
    End Using
End Sub
相关问题
最新问题