我不知道应该把分号放在哪里。这是我的代码:
Try
cn.Open()
Dim query As String = "INSERT INTO CheckoutTable(PatientID,_Name,_Age,_Gender,_Phone,_Address,_Disease,_DateIN,_DateOUT,_Building,_RoomNo,_RoomType,_UnitPrice,_Status,_MASP,_Price) VALUES('" & txtPID.Text & "','" & txtName.Text & "','" & txtAge.Text & "','" & cmbGender.Text & "','" & txtPhone.Text & "','" & txtAddress.Text & "','" & txtDisease.Text & "',' " & txtDI.Text & " ',' " & txtDO.Text & " ','" & txtRT.Text & "','" & txtBuilding.Text & "','" & txtRN.Text & "',' " & txtMNS.Text & " ',' " & txtUnitPrice.Text & " ',' " & cmbStatus.Text & " ','" & txtPrice.Text & "')" & _
"DELETE From RegistrationTable where [_Name]='" & ListBox1.Text & "'" & _
"Select * from RegistrationTable"
Dim cmds As New OleDbCommand
With cmds
.CommandText = query
.Connection = cn
.ExecuteNonQuery()
End With
MsgBox("Checkout Success", MsgBoxStyle.Information)
cn.Close()
Catch ex As Exception
MsgBox(ex.Message)
End Try
答案 0 :(得分:1)
Try
cn.Open()
Dim insertQuery as String = "INSERT INTO CheckoutTable(PatientID,_Name,_Age,_Gender,_Phone,_Address,_Disease,_DateIN,_DateOUT,_Building,_RoomNo,_RoomType,_UnitPrice,_Status,_MASP,_Price) " & _
"VALUES(@PatientID, @Name, @Age, @Gender, @Phone, @Address, @Disease , @DateIn, @DateOut, @Building, @RoomNo, @RoomType, @UnitPrice, @Status, @MASP, @Price) "
Dim deleteQuery as String = "DELETE From RegistrationTable where [_Name]= @RegName "
Dim selectQuery as String = "Select * from RegistrationTable"
Dim insertCmd As New OleDbCommand
Dim deleteCmd as New OleDbCommand
With insertCmd
.Connection = cn
.CommandText = insertQuery
.Parameters.AddWithValue("@PatientID", txtPID.Text)
.Parameters.AddWithValue("@Name", txtName.Text)
.Parameters.AddWithValue("@Age", txtAge.Text)
.Parameters.AddWithValue("@Gender", cmbGender.Text)
.Parameters.AddWithValue("@Phone", txtPhone.Text)
.Parameters.AddWithValue("@Address", txtAddress.Text)
.Parameters.AddWithValue("@Disease", txtDisease.Text)
.Parameters.AddWithValue("@DateIn", txtDI.Text)
.Parameters.AddWithValue("@DateOUT", txtDO.Text)
.Parameters.AddWithValue("@Building", txtBuilding.Text)
.Parameters.AddWithValue("@RoomNo", txtRN.Text)
.Parameters.AddWithValue("@RoomType", txtRT.Text)
.Parameters.AddWithValue("@UnitPrice", txtUnitPrice.Text)
.Parameters.AddWithValue("@MASP", txtMNS.Text)
.Parameters.AddWithValue("@Status", cmbStatus.Text)
.Parameters.AddWithValue("@Price", txtPrice.Text)
.ExecuteNonQuery()
End With
With deleteCmd
.Connection = cn
.CommandText = deleteQuery
.Parameters.AddWithValue("@RegName", ListBox1.Text)
.ExecuteNonQuery()
End With
MsgBox("Checkout Success", MsgBoxStyle.Information)
cn.Close()
Catch ex As Exception
MsgBox(ex.Message)
End Try
@StingyJack是对的,如果我有权访问您的界面,我可以从星期天打破您的db 6方式,因为您目前没有做任何事情来缓解SQL注入。除了参数化您的查询以防止注入,我删除了需要HAVE a;在查询中的每个DML语句的末尾,将它们分成单独的命令。选择并显示它的结果,我留给你。