语法不正确','

时间:2015-06-29 07:26:45

标签: vb.net

我的代码如下,语法错误不正确。 

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        If ComboBox1.Text = "" Then
            MessageBox.Show("ເລືອກໂຕະທີ່ຕ້ອງການຊຳລະ")
        ElseIf TextBox1.Text = "" Then
            MessageBox.Show("ເລືອກສິນຄ້າ")
        ElseIf TextBox2.Text = "" Then
            MessageBox.Show("ເລືອກຈຳນວນສິນຄ້າ")
        Else
            Dim OrderData As Date
            OrderData = FormatDateTime(Now, DateFormat.ShortDate)
            Dim cnsql = "insert into TbOrderDetail values(" & Label1.Text & ","
            cnsql &= "" & ProductID & "," & TextBox2.Text & ","
            cnsql &= "" & Label2.Text & ")"
            SQL.ManageData(cnsql)
        End If
        showData()
        showData22()
        TextBox2.Focus()
    End Sub

3 个答案:

答案 0 :(得分:0)

我很确定您需要将.TEXT属性定义为sql代码中的文本字符串。试试这个:

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        If ComboBox1.Text = "" Then
            MessageBox.Show("ເລືອກໂຕະທີ່ຕ້ອງການຊຳລະ")
        ElseIf TextBox1.Text = "" Then
            MessageBox.Show("ເລືອກສິນຄ້າ")
        ElseIf TextBox2.Text = "" Then
            MessageBox.Show("ເລືອກຈຳນວນສິນຄ້າ")
        Else
            Dim OrderData As Date
            OrderData = FormatDateTime(Now, DateFormat.ShortDate)
            Dim cnsql = "insert into TbOrderDetail values('" & Label1.Text & "',"
            cnsql &= "" & ProductID & ",'" & TextBox2.Text & "',"
            cnsql &= "'" & Label2.Text & "')"
            SQL.ManageData(cnsql)
        End If
        showData()
        showData22()
        TextBox2.Focus()
    End Sub

我将ProductID留下,因为它应该是一个整数。

答案 1 :(得分:0)

不应连接字符串来构建sql查询,而应始终使用参数化查询。这样就可以防止sql注入和本地化问题。数据库必须从其值中推断出参数的类型,这可能导致不正确的强制转换或性能问题。

也许你必须在撇号中包装文本值,而不是使用已经提到过的sql-parameters:

Using con As New SqlConnection(My.Settings.Default.ConnectionString)
    Using cmd As New SqlCommand("insert into TbOrderDetail values(@ProductID, @Column2, @Column3)", con)
        Dim p As New SqlParameter("@ProductID", SqlDbType.Int)
        p.Value = ProductID
        cmd.Parameters.Add(p)
        p = SqlParameter("@Column2", SqlDbType.VarChar)
        p.Value = TextBox2.Text
        cmd.Parameters.Add(p)
        p = SqlParameter("@Column3", SqlDbType.VarChar)
        p.Value = Label2.Text
        cmd.Parameters.Add(p)
        con.Open()
        Dim insertedCount = cmd.ExecuteNonQuery()
    End Using
End Using

答案 2 :(得分:0)

您应该在

旁边写下列名

插入TbOrderDetail

插入TbOrderDetail(columnname1,columnname2)VALUES(value1,value2)

相关问题
最新问题