Fatal编程技术网
  • asp.net/
  • Asp.net 尝试更新VB.net中的列值时出错

Asp.net 尝试更新VB.net中的列值时出错

asp.net sql-server vb.net

Asp.net 尝试更新VB.net中的列值时出错,asp.net,sql-server,vb.net,sql-update,Asp.net,Sql Server,Vb.net,Sql Update,你好 我只是想寻求你们的帮助,我的更新功能再次出现问题,这是我的代码 Private Sub Button2_Click(sender As Object, e As EventArgs) Handles Button2.Click con = New SqlConnection("Server=localhost\SQLEXPRESS;Database=Vehicle;Trusted_Connection=True;") con.Open() Dim cmd As S

你好

我只是想寻求你们的帮助,我的更新功能再次出现问题,这是我的代码

Private Sub Button2_Click(sender As Object, e As EventArgs) Handles Button2.Click
    con = New SqlConnection("Server=localhost\SQLEXPRESS;Database=Vehicle;Trusted_Connection=True;")
    con.Open()

    Dim cmd As SqlCommand = con.CreateCommand

    cmd.CommandText = String.Format("UPDATE trip SET ticketno, charge, driver, destination, passenger, purpose, tripdate", txtticket.Text, txtcharge.Text, txtdriver.Text, txtdestination.Text, txtpassenger.Text, txtpurpose.Text, dtptripdate1.Value)

    Dim affectedRows As Integer = cmd.ExecuteNonQuery
    If affectedRows > 0 Then
        MsgBox("Succesfully Updated")
    Else
        MsgBox("Failed to update")
    End If

    con.Close()
End Sub
当我尝试单击按钮时,将显示一个错误:

System.Data.dll中发生类型为“System.Data.SqlClient.SqlException”的未处理异常

其他信息:“,”附近的语法不正确

谢谢你帮我。 我真的很快就要完成我办公室的这个小规模项目了,但我遇到了这样的问题。

你的更新声明是错误的,所以你的。你没有错过一个WHERE条件吗

cmd.CommandText = String.Format("UPDATE trip SET ticketno='{0}', charge='{1}', driver='{2}', destination='{3}', passenger='{4}', purpose='{5}', tripdate='{6}'", txtticket.Text, txtcharge.Text, txtdriver.Text, txtdestination.Text, txtpassenger.Text, txtpurpose.Text, dtptripdate1.Value)
或者尝试这样做以避免SQL注入。 用块包装conn,以确保处理SqlConnection

Using conn As New SqlConnection("Server=localhost\SQLEXPRESS;Database=Vehicle;Trusted_Connection=True;")
    conn.Open()
    Dim cmd As New SqlCommand
    cmd.Connection = conn
    cmd.CommandText = "UPDATE trip SET ticketno=@ticketno, charge=@charge, driver=@driver, destination=@destination, " & _
                      "passenger=@passenger, purpose=@purpose, tripdate=@tripdate " & _
                      "WHERE SomeCondition"
    cmd.Parameters.AddWithValue("@ticketno", txtticket.Text)
    cmd.Parameters.AddWithValue("@charge", txtcharge.Text)
    cmd.Parameters.AddWithValue("@driver", txtdriver.Text)
    cmd.Parameters.AddWithValue("@destination", txtdestination.Text)
    cmd.Parameters.AddWithValue("@passenger", txtpassenger.Text)
    cmd.Parameters.AddWithValue("@purpose", txtpurpose.Text)
    cmd.Parameters.AddWithValue("@tripdate", dtptripdate1.Value)

    Dim affectedRow As Integer = cmd.ExecuteNonQuery
    IIf(affectedRow > 0, MsgBox("Succesfully Updated"), MsgBox("Failed to update"))
End Using
我想你应该检查一下,你有一个SQL注入漏洞。使用了这个漏洞,但数据库中的每一条记录都会发生变化,例如,当我尝试更改ticketno时,所有ticketno也会发生变化。这就是我前面指出的。查询中缺少WHERE子句。您应该筛选出要更新的记录 
    Try this,   

   Dim myCommand = New SqlCommand("UPDATE trip SET ticketno=@ticketno, charge=@charge, driver=@driver, destination=@destination, passenger=@passenger, purpose=@purpose, tripdate=@tripdate",con)

        myCommand.Parameters.Add("@ticketno", txtticket.Text)
        myCommand.Parameters.Add("@charge", txtcharge.Text)
        myCommand.Parameters.Add("@driver", txtdriver.Text)
        myCommand.Parameters.Add("@destination", txtdestination.Text)
        myCommand.Parameters.Add("@passenger", txtpassenger.Text)
        myCommand.Parameters.Add("@purpose", txtpurpose.Text)
        myCommand.Parameters.Add("@tripdate", dtptripdate1.Text)

        Dim affectedRows As Integer = cmd.ExecuteNonQuery
        If affectedRows > 0 Then
            MsgBox("Succesfully Updated")
        Else
            MsgBox("Failed to update")
        End If

        con.Close()