vb.net - SQL - 配对查询时出错

时间:2016-07-21 19:19:33

标签: sql vb.net sql-server-ce autocad-plugin

我在AutoCAD插件应用程序中收到此SQL错误。 “[令牌行号= 1,令牌行偏移= 110,令牌错误= desc]”。我逐步拉出表格,提取dbText信息并将其传递到我的数据库中。基于一些帖子,我尝试在值名称前面添加[],在值之前添加@,但两种解决方案都不起作用。

        Using myTrans As Transaction = myDB.TransactionManager.StartTransaction
        Dim myLayerTable As LayerTable = myDB.LayerTableId.GetObject(OpenMode.ForRead)
        For Each myLayerID As ObjectId In myLayerTable
            Dim myLayer As LayerTableRecord = myLayerID.GetObject(OpenMode.ForRead)
            If myLayer <> Nothing Then
                Dim name As String = myLayer.Name,
                    isoff As Boolean = myLayer.IsOff,
                    frozen As Boolean = myLayer.IsFrozen,
                    locked As Boolean = myLayer.IsLocked,
                    color As String = myLayer.Color.ColorNameForDisplay,
                    linetype As String = myLayer.LinetypeObjectId.ToString,
                    lineweight As String = myLayer.LineWeight.ToString,
                    transparency As String = myLayer.Transparency.ToString,
                    plotstyle As String = myLayer.PlotStyleNameId.ToString,
                    isplottable As Boolean = myLayer.IsPlottable,
                    vv As Boolean = myLayer.ViewportVisibilityDefault,
                    desc As String = myLayer.Description
                Dim nd As String = "INSERT INTO layers (name, isoff, frozen, locked, color, linetype, lineweight, transparency, isplottable, vv, desc) " & _
                                                            "VALUES (" & _
                                                            "'" & name & "', " & _
                                                            "'" & isoff & "', " & _
                                                            "'" & frozen & "', " & _
                                                            "'" & locked & "', " & _
                                                            "'" & color & "', " & _
                                                            "'" & linetype & "', " & _
                                                            "'" & lineweight & "', " & _
                                                            "'" & transparency & "', " & _
                                                            "'" & isplottable & "', " & _
                                                            "'" & vv & "', " & _
                                                            "'" & desc & "')"
                CeCon.DataUpdate(nd)
            End If
        Next
        myTrans.Abort()
    End Using
Private CeCon As New SqlCeConnection("Data Source=D:\Documents\Test.sdf;Persist Security Info=False;")
Private CeCmd As SqlCeCommand
Public CeDA As SqlCeDataAdapter
Public CeDT As DataTable
Public Params As New List(Of SqlCeParameter)
Public RecordCount As Integer
Public Exception As String
Public Sub ExecQuery(Query As String)
    '   Reset query stats
    RecordCount = 0
    Exception = ""
    Try
        CeCon.Open()
        CeCmd = New SqlCeCommand(Query, CeCon)
        Params.ForEach(Sub(p) CeCmd.Parameters.Add(p))
        Params.Clear()
        CeDT = New DataTable
        CeDA = New SqlCeDataAdapter(CeCmd)
        RecordCount = CeDA.Fill(CeDT)
    Catch ex As Exception
        Exception = ex.Message
    Finally
        If CeCon.State = ConnectionState.Open Then CeCon.Close()
    End Try
End Sub
Public Function DataUpdate(Command As String) As Integer
    Try
        CeCon.Open()
        CeCmd = New SqlCeCommand(Command, CeCon)
        Dim ChangeCount As Integer = CeCmd.ExecuteNonQuery
        CeCon.Close()
        Return ChangeCount
    Catch ex As Exception
        MsgBox(ex.Message)
    End Try
    If CeCon.State = ConnectionState.Open Then CeCon.Close()
    Return 0
End Function

1 个答案:

答案 0 :(得分:0)

DESC是这个世界上任何SQL数据库中的保留关键字。你需要围绕这个词的方括号。 [desc]或者更好地将这个名称改为不那么成问题的东西。

这不是代码中唯一的问题。如果这些变量中的任何一个包含单引号,则通过串联串生成无效的sql命令。 (我让你自己发现与Sql Injection相关的问题,可能会破坏你的数据库)

所以你需要一个参数化的查询

Dim nd As String = "INSERT INTO layers 
    (name, isoff, frozen, locked, color, linetype, lineweight, 
     transparency, isplottable, vv, [desc]) 
    VALUES (@name, @isoff, @frozen, @locked, @color, @linetype, @lineweight, 
            @transparency, @isplottable, @vv, @desc)"
Dim prms = new List(Of SqlCeParameter)()
prms.Add(new SqlCeParameter("@name", SqlDbType.NVarChar) With {.Value = name})
prms.Add(new SqlCeParameter("@isoff", SqlDbType.Bit) With {.Value = isoff})
prms.Add(new SqlCeParameter("@frozen", SqlDbType.Bit) With {.Value = frozen})
prms.Add(new SqlCeParameter("@locked", SqlDbType.Bit) With {.Value = locked})
prms.Add(new SqlCeParameter("@color", SqlDbType.NVarChar) With {.Value = color})
prms.Add(new SqlCeParameter("@linetype", SqlDbType.NVarChar) With {.Value = linetype})
prms.Add(new SqlCeParameter("@lineweight", SqlDbType.NVarChar) With {.Value = lineweight})
prms.Add(new SqlCeParameter("@transparency", SqlDbType.NVarChar) With {.Value = transparency})
prms.Add(new SqlCeParameter("@isplottable", SqlDbType.Bit) With {.Value = isplottable})
prms.Add(new SqlCeParameter("@vv", SqlDbType.Bit) With {.Value = vv})
prms.Add(new SqlCeParameter("@desc", SqlDbType.NVarChar) With {.Value = desc})
CeCon.DataUpdate(nd, prms)

这意味着您还需要更改DataUpdate过程以接收参数值列表

Public Function DataUpdate(Command As String, prms As List(Of SqlCeParameter)) As Integer
    Try
        CeCon.Open()
        CeCmd = New SqlCeCommand(Command, CeCon)
        if prms Is Not Nothing Then
            CeCmd.Parameters.AddRange(prms.ToArray())
        End if
        Dim ChangeCount As Integer = CeCmd.ExecuteNonQuery
        CeCon.Close()
        Return ChangeCount
    Catch ex As Exception
        MsgBox(ex.Message)
    End Try
    If CeCon.State = ConnectionState.Open Then CeCon.Close()
    Return 0
End Function
相关问题
最新问题