即使数据库中仍不存在记录,也无法INSERT

时间:2012-01-11 20:08:31

标签: sql vb.net visual-studio-2010

我想在数据库中插入记录但在插入之前,必须首先检查数据库是否已经存在插入的值。现在我的问题是,即使值仍然不存在,我也无法插入数据库。

这是我的代码:

Dim check As New SqlCommand
    Dim sqlcheck As String = "SELECT SerialNumber FROM EquipmentDetail WHERE SerialNumber = '" & TextBox1.Text & "'"


    connection.Open()
    check.Connection = connection
    check.CommandText = sqlcheck

    Dim read As SqlDataReader = check.ExecuteReader()

    If read.HasRows Then

        While read.Read()

            If read("SerialNumber").ToString() = TextBox1.Text Then

                MessageBox.Show(read("SerialNumber").ToString() & " was already added")

            Else

                cmd.Connection = connection
                cmd.CommandText = "INSERT INTO EquipmentDetail (SerialNumber, BoxNumber, FATTNumber, FaultTicketNumber, Description, ProductCode)" &
                "VALUES('" & TextBox1.Text & "',  '" & TextBox2.Text & "',  '" & TextBox3.Text & "',  '" & TextBox4.Text & "', '" & TextBox6.Text & "',  '" & ComboBox1.Text & "')"
                cmd.ExecuteNonQuery()

                MessageBox.Show("Equipment successfully added.", "Equipment", MessageBoxButtons.OK)
                TextBox1.Text = ""
                TextBox2.Text = ""
                TextBox3.Text = ""
                TextBox4.Text = ""
                TextBox6.Text = ""
                TextBox1.Focus()
                connection.Close()

            End If
        End While
    End If
    read.Close()

3 个答案:

答案 0 :(得分:2)

您的代码存在许多问题。

首先,您有一个可以使用参数解决的SQL注入漏洞。

其次,您正在开放式数据加载器中执行数据库活动,这可能会导致许多问题。

第三,您正在执行太多工作来确定序列号是否存在。您可以使用SQL Server Exists语句和SqlCommand的ExecuteScalar方法来返回和测试单个值,这使代码更快更容易理解。

最后,您需要确保丢弃一次性物品,最简单/最好的方法是使用使用块。

可以使用以下代码解决这些问题:

    Using connection As New SqlConnection(connStr)
        Dim sqlcheck As String = "IF EXISTS(select 1 FROM EquipmentDetail WHERE SerialNumber=@SerialNumber) SELECT 1 ELSE SELECT 0"
        Using cmd As New SqlCommand(sqlcheck, connection)
            cmd.Parameters.AddWithValue("@SerialNumber", TextBox1.Text)
            connection.Open()

            If CBool(cmd.ExecuteScalar) Then
                MessageBox.Show(TextBox1.Text & " was already added")
            Else
                Using insertCmd As New SqlCommand
                    insertCmd.Connection = connection

                    insertCmd.CommandText = "INSERT INTO EquipmentDetail (SerialNumber, BoxNumber, FATTNumber, FaultTicketNumber, Description, ProductCode)" &
                    "VALUES(@SerialNumber, @BoxNumber, @FATTNumber, @FaultTicketNumber, @Description, @ProductCode)"
                    insertCmd.Parameters.AddWithValue("@SerialNumber", TextBox1.Text)
                    insertCmd.Parameters.AddWithValue("@BoxNumber", TextBox2.Text)
                    insertCmd.Parameters.AddWithValue("@FATTNumber", TextBox3.Text)
                    insertCmd.Parameters.AddWithValue("@FaultTicketNumber", TextBox4.Text)
                    insertCmd.Parameters.AddWithValue("@Description", TextBox6.Text)
                    insertCmd.Parameters.AddWithValue("@ProductCode", ComboBox1.Text)

                    insertCmd.ExecuteNonQuery()

                    MessageBox.Show("Equipment successfully added.", "Equipment", MessageBoxButtons.OK)
                    TextBox1.Text = ""
                    TextBox2.Text = ""
                    TextBox3.Text = ""
                    TextBox4.Text = ""
                    TextBox6.Text = ""
                    TextBox1.Focus()
                End Using

            End If
        End Using
        connection.Close()
    End Using

答案 1 :(得分:0)

如果db中不存在SerialNumber值,则不会返回任何内容 - 因此永远不会到达包含插入的块。

答案 2 :(得分:0)

首先,您要连接字符串以创建SQL语句。非常危险,请阅读SQL注入和参数化。

问题似乎是因为只有在SerialNumber检查的结果有行时才执行INSERT。但是如果SerialNumber不存在,它将不会做任何事情。您应该尝试修改If语句,如下所示:

If read.HasRows Then

    MessageBox.Show(read("SerialNumber").ToString() & " was already added")

Else

    cmd.Connection = connection
    cmd.CommandText = "INSERT INTO EquipmentDetail (SerialNumber, BoxNumber, FATTNumber, FaultTicketNumber, Description, ProductCode)" &
      "VALUES('" & TextBox1.Text & "',  '" & TextBox2.Text & "',  '" & TextBox3.Text & "',  '" & TextBox4.Text & "', '" & TextBox6.Text & "',  '" & ComboBox1.Text & "')"
    cmd.ExecuteNonQuery()

    MessageBox.Show("Equipment successfully added.", "Equipment", MessageBoxButtons.OK)
            TextBox1.Text = ""
            TextBox2.Text = ""
            TextBox3.Text = ""
            TextBox4.Text = ""
            TextBox6.Text = ""
            TextBox1.Focus()
            connection.Close()

End If
read.Close()