插入数据库时出现问题(asp.net、vb.net)
我在mySql数据库中插入dropdownlist的值时遇到问题。 它表示“INSERT语句中的列数少于values子句中指定的值。values子句中的值数必须与INSERT语句中指定的列数匹配。” 当我从一个dropdownlist中选择值2时,第二个dropdownlist也是相同的数字,那么它将毫无问题地插入。但是当值不同(彼此不相等)时,我就会遇到这个问题插入数据库时出现问题(asp.net、vb.net),asp.net,sql-server,vb.net,Asp.net,Sql Server,Vb.net,我在mySql数据库中插入dropdownlist的值时遇到问题。 它表示“INSERT语句中的列数少于values子句中指定的值。values子句中的值数必须与INSERT语句中指定的列数匹配。” 当我从一个dropdownlist中选择值2时,第二个dropdownlist也是相同的数字,那么它将毫无问题地插入。但是当值不同(彼此不相等)时,我就会遇到这个问题 Imports System.Data Imports System.Data.SqlClient Partial Class B
Imports System.Data
Imports System.Data.SqlClient
Partial Class Bevestiging
Inherits System.Web.UI.Page
Dim con As New SqlConnection(" server=BOYAN\SQLEXPRESS; Initial Catalog=GipDatabase; User ID=sa; Password=DitIs1SuperGoedW8woord!")
Protected Sub Page_Load(sender As Object, e As EventArgs) Handles Me.Load
LblFilmnaam.Text = Session("filmnaam")
LblDatum.Text = Session("datum")
Lbltijd.Text = Session("tijd")
LblAantalKin.Text = Session("Aantalkin")
LblAantalVol.Text = Session("AantalVol")
LblTypeZaal.Text = Session("Zaaltype")
LblPrijs.Text = Session("prijs")
End Sub
Protected Sub BtnBevestigen_Click(sender As Object, e As EventArgs) Handles BtnBevestigen.Click
Dim cmd As New SqlCommand()
cmd.Connection = con
cmd.CommandType = CommandType.Text
con.Open()
cmd.CommandText = "insert into TblReserveren(Filmnaam,datum, tijd, Aantalvolwassenen, Aantalkinderen, TypeZaal, Prijs, GebruikerID) Values('" + LblFilmnaam.Text.ToString + "','" + LblDatum.Text + "','" + Lbltijd.Text + "','" + LblAantalVol.Text + "','" + LblAantalKin.Text + "', '" + LblTypeZaal.Text + "', " + LblPrijs.Text + " , (Select ID from TblGebruiker Where Username = '" + Session("Username") + "'))"
cmd.ExecuteNonQuery()
'MessageBox("De film Is gereserveerd!")
'Response.Write("De film Is gereserveerd!")
con.Close()
End Sub
End Class
您应该使用SQL参数进行查询。它使编写更容易,避免了数据中的撇号等字符问题,有助于防止SQL注入攻击,并通过允许SQL Server重用执行计划来提高性能(这并不总是一个问题) 另外,使用
usingUsing con As New SqlConnection("server=BOYAN\SQLEXPRESS; Initial Catalog=GipDatabase; Integrated Security=true;")
Dim sql = "INSERT INTO TblReserveren(Filmnaam,datum, tijd, Aantalvolwassenen, Aantalkinderen, TypeZaal, Prijs, GebruikerID) Values(@Filmnaam, @datum, @tijd, @Aantalvolwassenen, @Aantalkinderen, @TypeZaal, @prijs, (SELECT ID FROM TblGebruiker WHERE Username = @Username))"
Using cmd As New SqlCommand(sql, con)
'TODO: Set the .SqlDbType and .Size to match the columns in the database. '
cmd.Parameters.Add(New SqlParameter With {.ParameterName = "@Filmnaam", .SqlDbType = SqlDbType.NVarChar, .Size = 100, .Value = CStr(Session("filmnaam"))})
cmd.Parameters.Add(New SqlParameter With {.ParameterName = "@datum", .SqlDbType = SqlDbType.DateTime, .Value = CDate(Session("datum"))})
cmd.Parameters.Add(New SqlParameter With {.ParameterName = "@tijd", .SqlDbType = SqlDbType.NVarChar, .Size = 100, .Value = CStr(Session("tijd"))})
cmd.Parameters.Add(New SqlParameter With {.ParameterName = "@Aantalvolwassenen", .SqlDbType = SqlDbType.NVarChar, .Size = 100, .Value = CStr(Session("AantalVol"))})
cmd.Parameters.Add(New SqlParameter With {.ParameterName = "@Aantalkinderen", .SqlDbType = SqlDbType.NVarChar, .Size = 100, .Value = CStr(Session("Aantalkin"))})
cmd.Parameters.Add(New SqlParameter With {.ParameterName = "@TypeZaal", .SqlDbType = SqlDbType.NVarChar, .Size = 100, .Value = CStr(Session("Zaaltype"))})
cmd.Parameters.Add(New SqlParameter With {.ParameterName = "@prijs", .SqlDbType = SqlDbType.Decimal, .Value = CDec(Session("prijs"))})
cmd.Parameters.Add(New SqlParameter With {.ParameterName = "@Username", .SqlDbType = SqlDbType.NVarChar, .Size = 100, .Value = CStr(Session("Username"))})
con.Open()
cmd.ExecuteNonQuery()
con.Close()
End Using
End Using
最后,您不应该将“sa”登录用于与web相关的工作。我建议使用“integratedsecurity=true”设置。您可能需要在SQL Server中为您的应用程序使用的应用程序池的标识授予一些权限。首先,您应该启用并纠正它为您指出的任何问题。然后,您应该了解如何使用SQL参数并将其用于查询-这将更安全地抵御SQL注入攻击,并适用于包含撇号的数据。您应该真正绑定变量,而不是生成动态SQL。另外,您是否使用十进制数字和逗号作为十进制分隔符?您显示的代码中没有提到dropdownlist。