我尝试使用此代码将数据插入数据库
Public Sub AddUser()
Dim con As dbConn = New dbConn()
Dim SqlSelect As String
SqlSelect = "SELECT * FROM login Where user_id='" & WorkerID_.Text & "'"
Dim cmd As New OleDbCommand(SqlSelect, con.oleconnection)
Dim reader As OleDbDataReader
Dim da As New OleDbDataAdapter
con.open()
reader = cmd.ExecuteReader()
reader.Read()
If reader.HasRows() Then
reader.Close()
con.close()
FailureText.Text = "User ID already exists!"
Else
reader.Close()
con.close()
Dim InsertSQL As String
InsertSQL = "INSERT INTO login (user_id, user_role, user_password, user_status) VALUES "
InsertSQL &= "('" & WorkerID_.Text & "', "
InsertSQL &= "'Worker', "
InsertSQL &= "'12345', 1)"
Dim SqlUpdate As String
SqlUpdate = "INSERT INTO Worker (ID, WorkerID, WorkerName, DoB, Address, Phone, Email, CompanyName, PassportNum, PassportExp, VisaExp, VisaStatus, user_id) VALUES (default,"
SqlUpdate &= "'" & WorkerID_.Text & "', "
SqlUpdate &= "'" & WorkerName.Text & "', "
SqlUpdate &= "'" & DoB.Text & "', "
SqlUpdate &= "'" & Address.Text & "', "
SqlUpdate &= "'" & Phone.Text & "', "
SqlUpdate &= "'" & Email.Text & "', "
SqlUpdate &= "'" & Company.SelectedValue & "', "
SqlUpdate &= "'" & PassNum.Text & "', "
SqlUpdate &= "'" & PassExp.Text & "', "
SqlUpdate &= "'" & VisaExp.Text & "', "
SqlUpdate &= "'No Visa', "
SqlUpdate &= "'" & WorkerID_.Text & "') "
Dim insertCommand As New OleDbCommand(SqlUpdate, con.oleconnection)
Dim cmd1 As New OleDbCommand(InsertSQL, con.oleconnection)
Try
con.open()
cmd1.ExecuteNonQuery()
insertCommand.ExecuteNonQuery()
Catch
FailureText.Text = "Unable to add user"
Finally
con.close()
End Try
End If
Response.Redirect("Workers.aspx")
End Sub
Insert into login部分正在运作。数据插入良好。但因为insert into worker部分不起作用。数据未插入表中。程序显示没有错误,它仍然可以工作。这可能有什么问题?
答案 0 :(得分:1)
您似乎有12个参数要插入,13个参数位于插入查询的VALUES部分。是故意在下面的值部分中看到的默认值吗?
INSERT INTO Worker (ID, ... VisaStatus) VALUES (default,"
确保您定义并添加了正确数量的参数,然后告诉我们,但我可能会遗漏其他内容。
答案 1 :(得分:1)
阅读关于OleDb I just answered on another post的另一个答案。您将对sql-injection也持开放态度。 Parmaeterize查询。通过连接字符串来构建一个命令,如果一个值在文本条目中有单引号,该怎么办?你现在被软管了。如果有人放入恶意SQL命令然后删除您的记录或整个表,该怎么办?学习参数化查询并清理值,尤其是来自Web界面时。
您的命令可能应该更新为
Dim con As dbConn = New dbConn()
Dim SqlSelect As String
SqlSelect = "SELECT * FROM login Where user_id= @parmUserID"
Dim cmd As New OleDbCommand(SqlSelect, con.oleconnection)
cmd.Parameters.AddWithValue( "parmUserID", WorkerID_.Text )
跟随插入和更新命令...参数化它们,但在命令中使用@variable占位符。
Dim InsertSQL As String
InsertSQL = "INSERT INTO login (user_id, user_role, user_password, user_status) "
InsertSQL &= " VALUES ( @parmUser, @parmRole, @parmPwd, @parmStatus )"
Dim cmdInsert As New OleDbCommand(InsertSQL, con.oleconnection)
cmdInsert.Parameters.AddWithValue( "parmUser", WorkerID_.Text )
cmdInsert.Parameters.AddWithValue( "parmRole", "Worker" )
cmdInsert.Parameters.AddWithValue( "parmPwd", "12345" )
cmdInsert.Parameters.AddWithValue( "parmStatus", 1 )
Dim SqlUpdate As String
SqlUpdate = "INSERT INTO Worker (ID, WorkerID, WorkerName, DoB, Address, Phone, Email, CompanyName, PassportNum, PassportExp, VisaExp, VisaStatus, user_id) "
SqlUpdate &= " VALUES ( @parmID, @parmName, @parmDoB, etc... ) "
Dim cmdUpdate As New OleDbCommand(SqlUpdate, con.oleconnection)
cmdUpdate.Parameters.AddWithValue( "parmID", WorkerID_.Text )
cmdUpdate.Parameters.AddWithValue( "parmName", WorkerName.Text )
cmdUpdate.Parameters.AddWithValue( "parmDoB", DoB.Text )
-- etc with the rest of the parameters.
最后的说明。确保您尝试插入或更新的数据类型与表中预期的类型相同。这样的例子就是你的“出生日期”(DoB)字段。如果您尝试插入简单文本,并且它不是自动转换格式,则SQL-Insert可能会阻塞它并失败。如果您有一个绑定到DateTime类型的文本框,那么您的参数可能是Dob.SelectedDate(例如日历控件),或者您可以从文本预转换为日期时间,然后使用THAT作为参数值。
其他数值,也可以保留,它们应该直接申请插入。您还可以识别AddWithValue()调用参数应该表示的数据类型(string,int,double,datetime等)