我正在寻找一些帮助,试图找出为什么我在vb.net中的更新命令上看到SQL错误,并指出我的SQL体验非常有限。
我正在建立一个配置文件系统,将在我们公司内的其他几个工具中使用,作为配置文件系统的一部分,在页面加载时查询用户的信息并将数据存储在变量显示在页面上的标签中。
然后,用户可以选择创建新的配置文件(如果不存在),或者更新现有配置文件(如果已存在)。该代码使用用户员工ID基于对表的查询来确定正确的操作。
我的插入命令工作正常,但更新没有,下面是我当前的代码和错误。
这是用于创建新条目的insert语句,这可以正常工作。
Protected Sub btnInsert_Click(sender As Object, e As EventArgs) Handles btnInsert.Click
Try
Dim con As New SqlConnection
Dim cmd As New SqlCommand
con.ConnectionString = "Data Source="server" Catalog=usertable;Integrated Security=True"
con.Open()
cmd.Connection = con
cmd.CommandText = "INSERT INTO Profile (FirstName, LastName, Email, Telephone, EmployeeID, NTLogin) VALUES ('" & lblFirstName.Text & "','" & lblLastName.Text & "','" & lblEmail.Text & "','" & lblPhone.Text & "','" & lblEID.Text & "','" & lblNT.Text & "')"
cmd.ExecuteNonQuery()
btnInsert.Enabled = False
lblValid.Text = "Record Inserted Successfully"
con.Close()
Catch ex As System.Exception
lblValid.Text = (ex.Message)
End Try
以下是提供错误的更新代码:
Protected Sub btnUpdate_Click(sender As Object, e As EventArgs) Handles btnUpdate.Click
Try
Dim con As New SqlConnection
Dim cmd As New SqlCommand
con.ConnectionString = "server;Initial Catalog=usertable;Integrated Security=True"
con.Open()
cmd.Connection = con
cmd.CommandText = "UPDATE Profile (FirstName, LastName, Email, Telephone, EmployeeID, NTLogin) VALUES ('" & lblFirstName.Text & "','" & lblLastName.Text & "','" & lblEmail.Text & "','" & lblPhone.Text & "','" & lblEID.Text & "','" & lblNT.Text & "') Where [EmployeeID] = '" & lblEID.text & "'"
cmd.ExecuteNonQuery()
btnUpdate.Enabled = False
lblValid.Text = "Record Updated Successfully"
con.Close()
Catch ex As System.Exception
lblValid.Text = (ex.Message)
End Try
End Sub
返回的异常错误是
[SqlException (0x80131904): Incorrect syntax near '('.]
System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) +392
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) +815
System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) +4515
System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean async, Int32 timeout, Boolean asyncWrite) +1390
System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(TaskCompletionSource`1 completion, String methodName, Boolean sendToPipe, Int32 timeout, Boolean asyncWrite) +538
System.Data.SqlClient.SqlCommand.ExecuteNonQuery() +290
newprofile.btnUpdate_Click(Object sender, EventArgs e) +759
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +155
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3804
我很茫然,感谢任何帮助。
答案 0 :(得分:3)
更新语法完全无效,如@JBKing所述。
更新语句的格式为:
UPDATE myTableName SET field=new_value WHERE condition=some_value
另外,为避免可能的注入,请不要将字段值直接传递给SQL命令。使用参数How to use parameters "@" in an SQL command in VB
答案 1 :(得分:1)
cmd.CommandText = "UPDATE Profile (FirstName, LastName, Email, Telephone, EmployeeID, NTLogin) VALUES ('" & lblFirstName.Text & "','" & lblLastName.Text & "','" & lblEmail.Text & "','" & lblPhone.Text & "','" & lblEID.Text & "','" & lblNT.Text & "') Where [EmployeeID] = '" & lblEID.text & "'"
应该是这样的:
cmd.CommandText = "UPDATE Profile SET FirstName='"&lblFirstName.Text&"', LastName='"&lblLastName.Text&"', Email='"&lblEmail.Text&"', Telephone='"&lblPhone.Text&"', EmployeeID='"&lblEID.Text&"', NTLogin='"&lblNT.Text&"' Where [EmployeeID] = '" & lblEID.text & "'"
我会注意姓名,如" O' Connor"可能会破坏您的SQL,因为在大多数情况下,首选存储过程或参数是为了防止SQL注入攻击。
答案 2 :(得分:1)
感谢所有提供帮助的人。在示例和链接共享之间,我能够重建我的命令,以便它正确更新,现在使用参数化查询而不是直接插入语句进行设置,或者至少对我来说是正确的,并且正在工作。
以下是我的最终代码。
Try
Dim con As New SqlConnection
Dim cmd As New SqlCommand
con.ConnectionString = "Data Source=server;Initial Catalog=database;Integrated Security=True"
con.Open()
cmd.Connection = con
cmd.CommandText = ("UPDATE Profile SET FirstName = @FirstName, LastName = @LastName, Email = @Email, Telephone = @Telephone, EmployeeID = @EmployeeID, NTLogin = @NTLogin, Organization = @Organization, Permission = @Permission Where [EmployeeID] = '" & eID & "'")
cmd.Parameters.Add("@FirstName", SqlDbType.VarChar).Value = lblFirstName.Text
cmd.Parameters.Add("@LastName", SqlDbType.VarChar).Value = lblLastName.Text
cmd.Parameters.Add("@Email", SqlDbType.VarChar).Value = lblEmail.Text
cmd.Parameters.Add("@Telephone", SqlDbType.VarChar).Value = lblPhone.Text
cmd.Parameters.Add("@EmployeeID", SqlDbType.VarChar).Value = lblEID.Text
cmd.Parameters.Add("@NTLogin", SqlDbType.VarChar).Value = lblNT.Text
cmd.Parameters.Add("@Organization", SqlDbType.VarChar).Value = lblOrg.Text
cmd.Parameters.Add("@Permission", SqlDbType.VarChar).Value = "requestor"
cmd.ExecuteNonQuery()
con.close
lblValid.Text = "Record Updated Successfully"
Catch ex As System.Exception
lblValid.Text = (ex.Message)
End Try
谢谢!