ms访问数据库的update语句中的语法错误

时间:2018-05-07 17:52:23

标签: vb.net ms-access ado.net

我在 vb.net 中使用更新语句 ms access database ,但这告诉我更新语句中存在语法错误 ...请帮助我,我在这里失踪了什么?

cmd.CommandText = "Update Student set RegNo = '" & TextBox14.Text  "', StudName = '" & 
    TextBox2.Text & "', DateAdd = '" & DateTimePicker1.Text & "', DOB = '" & DateTimePicker2.Text & 
    "', Age = '" & TextBox3.Text & "', Gender = '" & ComboBox2.Text & "', PrAddress = '" & 
    TextBox4.Text & "', PeAddress = '" & TextBox5.Text & "', FName = '" & TextBox6.Text & 
    "', FMobile = '" & TextBox8.Text & "', FOccupation = '" & TextBox7.Text & "', Income = '" & 
    TextBox10.Text & "', Pschool = '" & TextBox9.Text & "', Nationality = '" & ComboBox3.Text & 
    "', Area = '" & ComboBox1.Text & "', BPlace = '" & TextBox12.Text & "', Religion = '" & 
    TextBox13.Text & "', AdmitedTo = '" & ComboBox4.Text & "', Status = '" & status & 
    "', DateLeft = '" & DateLeft & "', Remarks = '" & lremark & "', LeavingReason = '" & lreason & 
    "',  where RollNo = '" & ComboBox5.Text & "' "

3 个答案:

答案 0 :(得分:3)

,子句之前的末尾有一个额外的where,删除它并且语法正常。

cmd.CommandText = "Update Student set RegNo = '" & TextBox14.Text & _
    "', StudName = '" & TextBox2.Text & _ 
    "', DateAdd = '" & DateTimePicker1.Text & _ 
    "', DOB = '" & DateTimePicker2.Text & _ 
    "', Age = '" & TextBox3.Text & _ 
    "', Gender = '" & ComboBox2.Text & _ 
    "', PrAddress = '" & TextBox4.Text & _ 
    "', PeAddress = '" & TextBox5.Text & _ 
    "', FName = '" & TextBox6.Text & _ 
    "', FMobile = '" & TextBox8.Text & _ 
    "', FOccupation = '" & TextBox7.Text & _ 
    "', Income = '" & TextBox10.Text & _ 
    "', Pschool = '" & TextBox9.Text & _ 
    "', Nationality = '" & ComboBox3.Text & _ 
    "', Area = '" & ComboBox1.Text & _ 
    "', BPlace = '" & TextBox12.Text & _ 
    "', Religion = '" & TextBox13.Text & _ 
    "', AdmitedTo = '" & ComboBox4.Text & _ 
    "', Status = '" & status & _ 
    "', DateLeft = '" & DateLeft & _ 
    "', Remarks = '" & lremark & _ 
    "', LeavingReason = '" & lreason & _ 

   ' at the beginning of this next string you had an extra comma after the closing tick
    "' WHERE RollNo = '" & ComboBox5.Text & "' "

其他说明

  • 不要为值使用值连接。而是使用参数。请参阅How can I add user-supplied input to an SQL statement?,第二个答案特定于vb.net。
    • 在Access中使用参数时,您必须始终牢记它们是位置的而不是命名的。添加到参数集合的第一个参数必须与sql字符串中的第一个参数相对应。您应该/可以使用问号?作为占位符来提醒您这一点而不是命名参数。
    • 始终在参数集合中指定参数的正确数据类型。
    • 始终按参数传递参数,而不是转换后的字符串值。如果您的代码中只有一个字符串值,请先将其转换为本机值。示例:DateTimePicker2.Text< =不获取Text但获取值或者将其解析为DateTime实例(如果它是文本框)。
  • 使用方括号[]围绕访问对象名称。这是一个并不总是需要的首选项,但有时您希望使用保留的名称,如user

答案 1 :(得分:2)

看看这是多么可读。它可以更容易地在SET列表末尾发现额外的逗号等内容。这还会自动处理SQL注入,日期格式以及备注或名称字段中的特殊字符等问题。

cmd.CommandText = _
    "UPDATE Student " & 
     "SET RegNo = ?, StudName = ?, DateAdd = ?, DOB = ?, Age = ?, Gender = ?, " &
         "PrAddress = ?, PeAddress = ?, FName = ?, FMobile = ?, FOccupation = ?, Income = ?, " &
         "Pschool = ?, Nationality = ?, Area = ?, BPlace = ?, Religion = ?, AdmitedTo = ?, " & 
         "Status = ?, DateLeft = ?, Remarks = ?, LeavingReason = ? " & 
     "WHERE  RollNo = ?"

'Had to guess at columns types/lengths here.
' Edit it to use the actual column types/lengths from the database.
cmd.Parameters.Add("RegNo", OleDbType.Integer).Value = CInt(TextBox14.Text)
cmd.Paramerers.Add("StudName", OleDbType.VarWChar, 20).Value = TextBox2.Text
cmd.Paramerers.Add("DateAdd", OleDbType.Date).Value = DateTimePicker1.Value
cmd.Paramerers.Add("DOB", OleDbType.Date).Value = DateTimePicker2.Value
cmd.Paramerers.Add("Age", OleDbType.Integer) = CInt(TextBox3.Text)
cmd.Parameters.Add("Gender", OleDbtype.VarChar, 15).Value = ComboBox2.Text
cmd.Parameters.Add("PrAddress", OleDbType.VarWChar, 150).Value = TextBox4.Text
cmd.Parameters.Add("PeAddress", OleDbType.VarWChar, 150).Value = TextBox5.Text
cmd.Parameters.Add("FName", OleDbType.VarWChar, 12).Value = TextBox6.Text
cmd.Parameters.Add("FMoble", OleDbType.VarChar, 14).Value = TextBox8.Text
cmd.Parameters.Add("FOccupation ", OleDbType.VarWChar, 25).Value = TextBox7.Text
cmd.Parameters.Add("Income ", OleDbType.Decimal).Value = CDec(TextBox10.Text)
cmd.Parameters.Add("Pschool ", OleDbType.VarWChar, 35).Value = TextBox9.Text
cmd.Parameters.Add("Nationality ", OleDbType.VarWChar, 20).Value = ComboBox3.Text
cmd.Parameters.Add("Area", OleDbType.VarChar, 10).Value =  ComboBox1.Text
cmd.Parameters.Add("BPlace", OleDbType.VarChar, 30).Value = TextBox12.Text
cmd.Parameters.Add("Religion", OleDbType.VarChar, 20).Value = TextBox13.Text
cmd.Parameters.Add("AdmitedTo", OleDbType.VarChar, 10).Value = ComboBox4.Text
cmd.Parameters.Add("Status", OleDbType.VarChar, 10).Value = status 
cmd.Parameters.Add("DateLeft", OleDbType.Date).Value = DateLeft
cmd.Parameters.Add("Remarks", OleDbType.VarWChar, 1000).Value = lremark
cmd.Parameters.Add("LeavingReason", OleDbType.VarChar, 30).Value = lreason
cmd.Parameters.Add("RollNo ", OleDbType.Integer).Value = CInt(ComboBox5.Text)

答案 2 :(得分:1)

首先,当你串联连接SQL时,就会让你对SQL注入攻击开放。使用参数化查询既可以缓解该问题,又可以使SQL更易于阅读。在你的语句中,你可以根据输入结果出现SQL语法错误(例如,如果这些值的任何文本框包含引号,那么它将破坏你的SQL,参数化查询也可以通过保持像这样的值来解决这个问题。引用参数作为参数值的一部分,而不是SQL的一部分。

这大致是它的样子:

cmd.CommandText = "update Student set RegNo = @RegNo where RollNo = @RollNo"
cmd.Parameters.AddWithValue("@RegNo", TextBox14.Text)
cmd.Parameters.AddWithValue("@RollNo", ComboBox5.Text)
cmd.ExecuteNonQuery()
相关问题
最新问题