我的vb项目有一个保存命令。问题是它不会用"来保存文本。 ' "或括号。我认为它与sql命令有关..这里是我保存和更新的代码
保存
Dim myAdapter As New MySqlDataAdapter
Dim myDatatable As New DataTable
Dim command As New MySqlCommand
Dim add As String
add = "INSERT INTO tracker.recordtracker (Action_Taken,Marginal_Note,Remarks,Type_of_Document,Referred_Date,Items,Received_From,Received_Date,Referred_To,recdate,refdate)values('" + acttaken.Text + "','" + margnote.Text + "','" + remarks.Text + "','" + doctype.Text + "','" + rfrldatelbl.Text + "','" + itemtbx.Text + "','" + rfromtbx.Text + "','" + rcvdate.Text + "','" + reftotbx.Text + "' ,'" + rdate.Text + "',@refdate)"
command = New MySqlCommand(add, connection)
refdate.CustomFormat = "yyyy-MM-dd"
myAdapter.SelectCommand = command
myAdapter.Fill(myDatatable)
MsgBox("Data has been successfully added.")
clearfield()
loaddatabase()
connection.Close()
connection.Dispose()
Catch ex As Exception
MsgBox(ex.Message)
End Try
更新
Try
connection.Open()
rcvdate.Text = rdate.Text
If refdate.Checked = False Then
rfrldatelbl.Text = "____-__-__"
Else
refdate.CustomFormat = "yyyy-MM-dd"
rfrldatelbl.Text = refdate.Text + " " + TimeOfDay
End If
Dim query As String
query = "update tracker.recordtracker set Action_Taken='" & acttaken.Text & "', Marginal_Note='" & margnote.Text & "', Remarks='" & remarks.Text & "',Type_of_Document='" & doctype.Text & "', Items = '" & itemtbx.Text & "', Referred_To='" & reftotbx.Text & "', Referred_Date='" & rfrldatelbl.Text & "',recdate='" & rdate.Text & "',refdate='" & refdate.Text & "' where id = '" & ID.Text & "'"
utos = New MySqlCommand(query, connection)
reader = utos.ExecuteReader
MsgBox("Data has been changed.")
connection.Close()
loaddatabase()
connection.Close()
connection.Dispose()
Catch ex As Exception
MsgBox(ex.Message)
End Try
答案 0 :(得分:3)
您已附加到形成SQL查询的字符串。您需要阅读SQL injection
以了解为什么这是一个糟糕的主意。但基本上它允许任何有权访问您的字符串的人提交这些值,控制您的数据库。您可能希望执行以下操作:
Dim sql As String = "INSERT INTO foo (baz) VALUES (@Baz)"
Using cn As New SqlConnection("Your connection string here"), _
cmd As New SqlCommand(sql, cn)
cmd.Parameters.Add("@Baz", SqlDbType.VarChar, 50).Value = Baz
cmd.ExecuteNonQuery()
解决您的问题。
答案 1 :(得分:0)
字符串是一个字节或字符序列,包含在其中 单引号(“'”)或双引号(“”“)
所以'
是保留字符
如果要在字符串的内容中使用它,则需要使用转义序列\'
。
但正如@Matt Fellows在回答中提到的,在数据库中保存字符串值的更好做法将是SqlParameters
使用SqlParameter
,您不需要使用转义序列,字符串将保持原样(基于列的类型)
Dim param As New SqlParameter With {.ParameterName="@text",
.SqlDbType = SqlDbType.VarChar,
.Value = "Your 'Name' in quotes"}