我有一个连接到访问数据库中的列的组合框,如果我的组合框值为空,我想在列的数据库字段中放置一个空值。我写了这段代码,我知道这是错的,但我无法理解。
myvalue声明为整数
Dim myConnectionString As SqlConnection = New SqlConnection("Data Source=*****\****;Initial Catalog=****;user=***;password=****")
Dim myCommand As String
Dim cmd As SqlCommand
Dim myvalue As Integer
If IsDBNull(Form1.CBEsp2.SelectedValue) Then
myvalue = vbNull
Else
myvalue = Form1.CBEsp2.SelectedValue
End If
MsgBox(Form1.CBEsp2.SelectedValue)
myCommand = "UPDATE DoctorEnterpriseDetails SET " & _
"RankId = " & Form1.CBSelec.SelectedValue & ", " & _
"GroupId = " & Form1.CBCateg.SelectedValue & ", " & _
"PrescribingPotential = " & Form1.CBPP.SelectedValue & ", " & _
"Observation = '" & Form1.TxtObs2.Text & "', " & _
"Telephone = '" & Convert_Null(Form1.TxtTelefone.Text, "") & "', " & _
"Mobile = '" & Convert_Null(Form1.TxtTelem.Text, "") & "', " & _
"Speciality1 = " & Form1.CBEsp1.SelectedValue & ", " & _
"Speciality2 = " & myvalue & " " & _
"WHERE EnterpriseId = 26 AND DoctorId = " & Form1.labelvazia.Text
MsgBox(myCommand)
cmd = New SqlCommand(myCommand, myConnectionString)
cmd.Connection.Open()
cmd.ExecuteNonQuery()
cmd.Connection.Close()
感谢。
答案 0 :(得分:0)
我认为你应该重写你的查询并使用参数化方法而不是字符串连接。
If IsDBNull(Form1.CBEsp2.SelectedValue) Then
meuvalor = DBNull.Value
Else
meuvalor = Form1.CBEsp2.SelectedValue
End If
Dim myCommand = "UPDATE DoctorEnterpriseDetails SET " & _
"RankId = @RankID, GroupId = @GroupID, " & _
"PrescribingPotential = @PrescribingPotential, "
"Observation = @Observation, Telephone = @Telephone, " & _
"Mobile = @Mobile, Speciality1 = @Speciality1, "
"Speciality2 = @Speciality2 " & _
"WHERE EnterpriseId = 26 AND DoctorId = @DoctorID"
Using conn = New SqlConnection("....")
Using cmd = New SqlCommand(myCommand, conn)
conn.Open()
cmd.Parameters.Add("@RankID", SqlDbType.Int).Value = Convert.ToInt32(Form1.CBSelec.SelectedValue)
cmd.Parameters.Add("@GroupID", SqlDbType.Int).Value = Convert.ToInt32(Form1.CBCateg.SelectedValue)
cmd.Parameters.Add("@PrescribingPotential", SqlDbType.Int).Value = Convert.ToInt32(Form1.CBPP.SelectedValue)
cmd.Parameters.Add("@Observation", SqlDbType.NVarChar).Value = Form1.TxtObs2.Text
... and so on for the other parameters.....
... the one with null value will be
cmd.Parameters.Add("@Speciality2", SqlDbType.Int).Value = meuvalor
....
cmd.ExecuteNonQuery()
End Using
End Using
这是参数化查询的示例。这些值不会在查询文本中连接(使其在过程中更具可读性),但会添加到SqlCommand的Parameters集合中,而查询文本仅包含占位符(@xxxx)。每个参数都应使用正确的DataType(SqlDbType enumeration)定义,并在将其添加到集合之前从UI表示转换为VB.NET类型。
这种方法使您的代码更安全,因为您不必担心在文本框中键入危险文本的恶意用户(Sql Injection),并且当使用其类型指定参数时,没有可用于解析错误的空间来自值(小数分隔符,日期格式,字符串引号等)
对于NULL值,您应该传递一个DBNull.Value,它将在数据库字段中所需的空值中正确转换。
答案 1 :(得分:0)
我写了这个并且它有效..可能不是最好的解决方案。
If IsNothing(Form1.CBEsp2.SelectedValue) Then
myCommand = "UPDATE DoctorEnterpriseDetails SET " & _
"RankId = " & Form1.CBSelec.SelectedValue & ", " & _
"GroupId = " & Form1.CBCateg.SelectedValue & ", " & _
"PrescribingPotential = " & Form1.CBPP.SelectedValue & ", " & _
"Observation = '" & Form1.TxtObs2.Text & "', " & _
"Telephone = '" & Convert_Null(Form1.TxtTelefone.Text, "") & "', " & _
"Mobile = '" & Convert_Null(Form1.TxtTelem.Text, "") & "', " & _
"Speciality1 = " & Form1.CBEsp1.SelectedValue & ", " & _
"Speciality2 = NULL " & _
"WHERE EnterpriseId = 26 AND DoctorId = " & Form1.labelvazia.Text
Else
myCommand = "UPDATE DoctorEnterpriseDetails SET " & _
"RankId = " & Form1.CBSelec.SelectedValue & ", " & _
"GroupId = " & Form1.CBCateg.SelectedValue & ", " & _
"PrescribingPotential = " & Form1.CBPP.SelectedValue & ", " & _
"Observation = '" & Form1.TxtObs2.Text & "', " & _
"Telephone = '" & Convert_Null(Form1.TxtTelefone.Text, "") & "', " & _
"Mobile = '" & Convert_Null(Form1.TxtTelem.Text, "") & "', " & _
"Speciality1 = " & Form1.CBEsp1.SelectedValue & ", " & _
"Speciality2 = " & Form1.CBEsp2.SelectedValue & " " & _
"WHERE EnterpriseId = 26 AND DoctorId = " & Form1.labelvazia.Text
End If