Sql server .Parameters.Add(“MobileNo”,SqlDbType.VarChar).Value=txtMobile.Text sqlCmd.Parameters.Add(“地址”,SqlDbType.VarChar).Value=txtdAddress.Text sqlCmd.Parameters.Add(“BillDate”,SqlDbType.DateTime).Value=dTPDate.Value sqlCmd.Parameters.Add(“BedFrom”,SqlDbType.Date).Value=dTPBedFrom.Value sqlCmd.Parameters.Add(“BedTo”,SqlDbType.Date).Value=dTPBedTo.Value sqlCmd.Parameters.Add(“OTType”,SqlDbType.Char).Value=cboOTType.SelectedValue sqlCmd.Parameters.Add(“OTMedicineCharge”,SqlDbType.Decimal).Value=Val(txtOTMedicineCharge.Text) sqlCmd.Parameters.Add(“WardMedicineCharge”,SqlDbType.Decimal).Value=Val(txtWardMedicineCharge.Text) sqlCmd.Parameters.Add(“MonitorUsed”,SqlDbType.Int).Value=Val(txtMonitorUsed.Text) sqlCmd.Parameters.Add(“OxygenUsed”,SqlDbType.Int).Value=Val(txtOxygenUsed.Text) sqlCmd.Parameters.Add(“PulltionUsed”,SqlDbType.Int).Value=Val(txtPulltionUsed.Text) sqlCmd.Parameters.Add(“ECGUsed”,SqlDbType.Int).Value=Val(txtECGUsed.Text) sqlCmd.Parameters.Add(“PathologyCharge”,SqlDbType.Decimal).Value=Val(txtphologycharge.Text) sqlCmd.Parameters.Add(“DressingType”,SqlDbType.Char)。Value=cboDressingType.SelectedValue sqlCmd.Parameters.Add(“NebuligerUsed”,SqlDbType.Int).Value=Val(txtenbuligerused.Text) sqlCmd.Parameters.Add(“DoctorFees”,SqlDbType.Decimal).Value=Val(txtdoctorFees.Text) sqlCmd.Parameters.Add(“anaesthisitcharge”,SqlDbType.Decimal).Value=Val(txtaneasthisit.Text) sqlCmd.Parameters.Add(“AsstOfScFees”,SqlDbType.Decimal).Value=Val(txtAssistantOfScFees.Text) sqlCmd.Parameters.Add(“AttendentTime”,SqlDbType.Int).Value=Val(txtadent.Text) sqlCmd.Parameters.Add(“OtherChargesCode”,SqlDbType.Char)。Value=txtOtherChargeCode.Text sqlCmd.Parameters.Add(“AcYr”,SqlDbType.Char).Value=mAcYr sqlCmd.Parameters.Add(“@Error”,SqlDbType.VarChar,50) sqlCmd.Parameters(“@Error”).Direction=ParameterDirection.Output sqlCmd.Parameters.Add(“@OutBillCode”,SqlDbType.Char,17) sqlCmd.Parameters(“@OutBillCode”).Direction=ParameterDirection.Output 如果sqlCon.State=ConnectionState.Closed,则 sqlCon.Open() 如果结束 sqlCmd.ExecuteNonQuery() 如果Len(sqlCmd.Parameters(“@Error”).Value.ToString()为0,则 Show(sqlCmd.Parameters(“@Error”).Value.ToString(),mAppName,MessageBoxButtons.OK,MessageBoxIcon.Error) dTPDate.Select() 如果sqlCon.State=ConnectionState.Open,则 sqlCon.Close() 如果结束 出口接头 如果结束 txtBillCode.Text=sqlCmd.Parameters(“@OutBillCode”).Value.ToString() btnPrint.Visible=True 特例 MessageBox.Show(例如Message、mAppName、MessageBoxButtons.OK、MessageBoxIcon.Error) 重置文本() 最后 sqlCon.Close() 结束尝试 设置按钮(真) 如果结束 端接头
但它给了我一个错误:从字符串转换日期和/或时间时,转换失败 如何传递日期字段以避免错误 我尝试了所有参考资料,但没有成功。这是未经测试的。但是,我怀疑这会让你找到正确的位置。如果这仍然不起作用,那么我怀疑Sql server .Parameters.Add(“MobileNo”,SqlDbType.VarChar).Value=txtMobile.Text sqlCmd.Parameters.Add(“地址”,SqlDbType.VarChar).Value=txtdAddress.Text sqlCmd.Parameters.Add(“BillDate”,SqlDbType.DateTime).Value=dTPDate.Value sqlCmd.Parameters.Add(“BedFrom”,SqlDbType.Date).Value=dTPBedFrom.Value sqlCmd.Parameters.Add(“BedTo”,SqlDbType.Date).Value=dTPBedTo.Value sqlCmd.Parameters.Add(“OTType”,SqlDbType.Char).Value=cboOTType.SelectedValue sqlCmd.Parameters.Add(“OTMedicineCharge”,SqlDbType.Decimal).Value=Val(txtOTMedicineCharge.Text) sqlCmd.Parameters.Add(“WardMedicineCharge”,SqlDbType.Decimal).Value=Val(txtWardMedicineCharge.Text) sqlCmd.Parameters.Add(“MonitorUsed”,SqlDbType.Int).Value=Val(txtMonitorUsed.Text) sqlCmd.Parameters.Add(“OxygenUsed”,SqlDbType.Int).Value=Val(txtOxygenUsed.Text) sqlCmd.Parameters.Add(“PulltionUsed”,SqlDbType.Int).Value=Val(txtPulltionUsed.Text) sqlCmd.Parameters.Add(“ECGUsed”,SqlDbType.Int).Value=Val(txtECGUsed.Text) sqlCmd.Parameters.Add(“PathologyCharge”,SqlDbType.Decimal).Value=Val(txtphologycharge.Text) sqlCmd.Parameters.Add(“DressingType”,SqlDbType.Char)。Value=cboDressingType.SelectedValue sqlCmd.Parameters.Add(“NebuligerUsed”,SqlDbType.Int).Value=Val(txtenbuligerused.Text) sqlCmd.Parameters.Add(“DoctorFees”,SqlDbType.Decimal).Value=Val(txtdoctorFees.Text) sqlCmd.Parameters.Add(“anaesthisitcharge”,SqlDbType.Decimal).Value=Val(txtaneasthisit.Text) sqlCmd.Parameters.Add(“AsstOfScFees”,SqlDbType.Decimal).Value=Val(txtAssistantOfScFees.Text) sqlCmd.Parameters.Add(“AttendentTime”,SqlDbType.Int).Value=Val(txtadent.Text) sqlCmd.Parameters.Add(“OtherChargesCode”,SqlDbType.Char)。Value=txtOtherChargeCode.Text sqlCmd.Parameters.Add(“AcYr”,SqlDbType.Char).Value=mAcYr sqlCmd.Parameters.Add(“@Error”,SqlDbType.VarChar,50) sqlCmd.Parameters(“@Error”).Direction=ParameterDirection.Output sqlCmd.Parameters.Add(“@OutBillCode”,SqlDbType.Char,17) sqlCmd.Parameters(“@OutBillCode”).Direction=ParameterDirection.Output 如果sqlCon.State=ConnectionState.Closed,则 sqlCon.Open() 如果结束 sqlCmd.ExecuteNonQuery() 如果Len(sqlCmd.Parameters(“@Error”).Value.ToString()为0,则 Show(sqlCmd.Parameters(“@Error”).Value.ToString(),mAppName,MessageBoxButtons.OK,MessageBoxIcon.Error) dTPDate.Select() 如果sqlCon.State=ConnectionState.Open,则 sqlCon.Close() 如果结束 出口接头 如果结束 txtBillCode.Text=sqlCmd.Parameters(“@OutBillCode”).Value.ToString() btnPrint.Visible=True 特例 MessageBox.Show(例如Message、mAppName、MessageBoxButtons.OK、MessageBoxIcon.Error) 重置文本() 最后 sqlCon.Close() 结束尝试 设置按钮(真) 如果结束 端接头,sql-server,vb.net,Sql Server,Vb.net,但它给了我一个错误:从字符串转换日期和/或时间时,转换失败 如何传递日期字段以避免错误 我尝试了所有参考资料,但没有成功。这是未经测试的。但是,我怀疑这会让你找到正确的位置。如果这仍然不起作用,那么我怀疑INSERT中的列顺序不符合values子句中为提供的值。我还没有检查,但是PRINT/SELECT@SQL将在这里帮助您 无论如何,这里我已经对您的SQL进行了参数化,并且认为数据类型是正确的,所以希望这样做: SET @sql = N' INSERT INTO ' + QUOTENAME(@
INSERT
中的列顺序不符合values
子句中为提供的值。我还没有检查,但是PRINT
/SELECT
@SQL将在这里帮助您
无论如何,这里我已经对您的SQL进行了参数化,并且认为数据类型是正确的,所以希望这样做:
SET @sql = N'
INSERT INTO ' + QUOTENAME(@temptableName) + N'(BillCode,
BillNo,
PatientName,
MobileNo,
Address,
BillDate,
BedFrom,
BedTo,
BedCharge,
OTType,
OTCharge,
OTMedicineCharge,
WardMedicineCharge,
MonitorUsed,
MonitorCharge,
OxygenUsed,
OxygenCharge,
PulltionUsed,
PulltionCharge,
ECGUsed,
ECGCharge,
PathologyCharge,
DressingType,
DressingCharge,
NebuligerUsed,
NebuligerCharge,
DoctorFees,
AnaesthisistCharge,
AsstOfScFees,
AttendentTime,
AttendentCharge,
Total,
OtherChargesCode,
GrandToTal)
VALUES (@OutBillCode, @tempBillNo, @PatientName, @MobileNo, @Address, @BillDate, @BedFrom, @BedTo, @tempBedCharge, @OTType, @OTCharge, @OTMedicineCharge, @WardMedicineCharge, @MonitorUsed, @MonitorCharge, @OxygenUsed, @OxygenCharge, @PulltionUsed, @PulltionCharge, @ECGUsed, @ECGCharge, @PathologyCharge, @DressingType, @DressingCharge, @NebuligerUsed, @NebuligerCharge, @DoctorFees, @AnaesthisistCharge, @AsstOfScFees, @AttendentTime, @AttendentCharge, @TotalCharge, @OtherChargesCode, @GrandTotal);';
EXEC sp_executesql @sql,
N'@OutBillCode char(17), @tempBillNo char(7), @PatientName varchar(MAX), @MobileNo varchar(20), @Address varchar(MAX), @BillDate datetime, @BedFrom date, @BedTo date, @tempBedCharge decimal()18,2), @OTType char(3), @OTCharge decimal(18,2), @OTMedicineCharge decimal(18,2), @WardMedicineCharge decimal(18,2), @MonitorUsed int, @MonitorCharge decimal(18,2), @OxygenUsed int, @OxygenCharge decmial(18,2), @PulltionUsed int, @PulltionCharge decimal(18,2), @ECGUsed int, @ECGCharge decimal(18,2), @PathologyCharge decimal(18,2), @DressingType char(3), @DressingCharge decimal(18,2), @NebuligerUsed int, @NebuligerCharge decimal(18,2), @DoctorFees decimal(18,2), @AnaesthisistCharge decimal(18,2), @AsstOfScFees decimal(18,2), @AttendentTime int, @AttendentCharge decimal(18,2), @TotalCharge decimal(18,2), @OtherChargesCode char(5), @GrandTotal decimal(18,2)',
@OutBillCode = @OutBillCode,
@tempBillNo = @tempBillNo,
@PatientName = @PatientName,
@MobileNo = @MobileNo,
@Address = @Address,
@BillDate = @BillDate,
@BedFrom = @BedFrom,
@BedTo = @BedTo,
@tempBedCharge = @tempBedCharge,
@OTType = @OTType,
@OTCharge = @OTCharge,
@OTMedicineCharge = @OTMedicineCharge,
@WardMedicineCharge = @WardMedicineCharge,
@MonitorUsed = @MonitorUsed,
@MonitorCharge = @MonitorCharge,
@OxygenUsed = @OxygenUsed,
@OxygenCharge = @OxygenCharge,
@PulltionUsed = @PulltionUsed,
@PulltionCharge = @PulltionCharge,
@ECGUsed = @ECGUsed,
@ECGCharge = @ECGCharge,
@PathologyCharge = @PathologyCharge,
@DressingType = @DressingType,
@DressingCharge = @DressingCharge,
@NebuligerUsed = @NebuligerUsed,
@NebuligerCharge = @NebuligerCharge,
@DoctorFees = @DoctorFees,
@AnaesthisistCharge = @AnaesthisistCharge,
@AsstOfScFees = @AsstOfScFees,
@AttendentTime = @AttendentTime,
@AttendentCharge = @AttendentCharge,
@TotalCharge = @TotalCharge,
@OtherChargesCode = @OtherChargesCode,
@GrandTotal = @GrandTotal;
哦,哇。。。恐怕SQL绝对可怕;它对SQL注入非常开放。这实际上是一个等待被利用的安全漏洞。你清楚地知道参数化是一件事,就像你在C#中所做的那样。然而,问题是您没有将SQL参数化。您需要这样做并引用这些动态对象名称。删除该
sp_executesql
和连接的查询字符串。只需执行INSERT
语句。您所做的是将整数、日期等转换为本地化字符串,然后尝试将它们转换回本地字符串。可能顺序不对,我也很惊讶,像SQL这样的SET@MonitorCharge=(从ChargesMast中选择MonitorCharge)*@MonitorUsed代码>正在工作。我预计会出现一个错误,抱怨子查询返回的行数超过1行。我刚刚注意到@Address
和@PatientName
都是varchar(MAX)
数据类型。恶意人员可以使用该大小的变量执行任何操作。@Larnu Chargemast表被限制插入多个值
Private Sub Data_Manipulate(ByVal updateType As Integer)
If Update_Status() = True Then
Try
sqlCon = New SqlConnection(myDataClass.myConnectionString)
sqlCmd.Connection = sqlCon
sqlCmd.CommandText = "spTransaction"
sqlCmd.CommandType = CommandType.StoredProcedure
sqlCmd.Parameters.Clear()
sqlCmd.Parameters.Add("UpdateType", SqlDbType.Int).Value = updateType
sqlCmd.Parameters.Add("BillCode", SqlDbType.Char).Value = txtBillCode.Text
sqlCmd.Parameters.Add("PatientName", SqlDbType.VarChar).Value = txtName.Text
sqlCmd.Parameters.Add("MobileNo", SqlDbType.VarChar).Value = txtMobile.Text
sqlCmd.Parameters.Add("Address", SqlDbType.VarChar).Value = txtAddress.Text
sqlCmd.Parameters.Add("BillDate", SqlDbType.DateTime).Value = dTPDate.Value
sqlCmd.Parameters.Add("BedFrom", SqlDbType.Date).Value = dTPBedFrom.Value
sqlCmd.Parameters.Add("BedTo", SqlDbType.Date).Value = dTPBedTo.Value
sqlCmd.Parameters.Add("OTType", SqlDbType.Char).Value = cboOTType.SelectedValue
sqlCmd.Parameters.Add("OTMedicineCharge", SqlDbType.Decimal).Value = Val(txtOTMedicineCharge.Text)
sqlCmd.Parameters.Add("WardMedicineCharge", SqlDbType.Decimal).Value = Val(txtWardMedicineCharge.Text)
sqlCmd.Parameters.Add("MonitorUsed", SqlDbType.Int).Value = Val(txtMonitorUsed.Text)
sqlCmd.Parameters.Add("OxygenUsed", SqlDbType.Int).Value = Val(txtOxygenUsed.Text)
sqlCmd.Parameters.Add("PulltionUsed", SqlDbType.Int).Value = Val(txtPulltionUsed.Text)
sqlCmd.Parameters.Add("ECGUsed", SqlDbType.Int).Value = Val(txtECGUsed.Text)
sqlCmd.Parameters.Add("PathologyCharge", SqlDbType.Decimal).Value = Val(txtPathologyCharge.Text)
sqlCmd.Parameters.Add("DressingType", SqlDbType.Char).Value = cboDressingType.SelectedValue
sqlCmd.Parameters.Add("NebuligerUsed", SqlDbType.Int).Value = Val(txtNebuligerUsed.Text)
sqlCmd.Parameters.Add("DoctorFees", SqlDbType.Decimal).Value = Val(txtdoctorFees.Text)
sqlCmd.Parameters.Add("AnaesthisistCharge", SqlDbType.Decimal).Value = Val(txtAnaesthisist.Text)
sqlCmd.Parameters.Add("AsstOfScFees", SqlDbType.Decimal).Value = Val(txtAssistantOfScFees.Text)
sqlCmd.Parameters.Add("AttendentTime", SqlDbType.Int).Value = Val(txtAttendent.Text)
sqlCmd.Parameters.Add("OtherChargesCode", SqlDbType.Char).Value = txtOtherChargeCode.Text
sqlCmd.Parameters.Add("AcYr", SqlDbType.Char).Value = mAcYr
sqlCmd.Parameters.Add("@Error", SqlDbType.VarChar, 50)
sqlCmd.Parameters("@Error").Direction = ParameterDirection.Output
sqlCmd.Parameters.Add("@OutBillCode", SqlDbType.Char, 17)
sqlCmd.Parameters("@OutBillCode").Direction = ParameterDirection.Output
If sqlCon.State = ConnectionState.Closed Then
sqlCon.Open()
End If
sqlCmd.ExecuteNonQuery()
If Len(sqlCmd.Parameters("@Error").Value.ToString()) <> 0 Then
MessageBox.Show(sqlCmd.Parameters("@Error").Value.ToString(), mAppName, MessageBoxButtons.OK, MessageBoxIcon.Error)
dTPDate.Select()
If sqlCon.State = ConnectionState.Open Then
sqlCon.Close()
End If
Exit Sub
End If
txtBillCode.Text = sqlCmd.Parameters("@OutBillCode").Value.ToString()
btnPrint.Visible = True
Catch ex As Exception
MessageBox.Show(ex.Message, mAppName, MessageBoxButtons.OK, MessageBoxIcon.Error)
Reset_Text()
Finally
sqlCon.Close()
End Try
Set_Buttons(True)
End If
End Sub
SET @sql = N'
INSERT INTO ' + QUOTENAME(@temptableName) + N'(BillCode,
BillNo,
PatientName,
MobileNo,
Address,
BillDate,
BedFrom,
BedTo,
BedCharge,
OTType,
OTCharge,
OTMedicineCharge,
WardMedicineCharge,
MonitorUsed,
MonitorCharge,
OxygenUsed,
OxygenCharge,
PulltionUsed,
PulltionCharge,
ECGUsed,
ECGCharge,
PathologyCharge,
DressingType,
DressingCharge,
NebuligerUsed,
NebuligerCharge,
DoctorFees,
AnaesthisistCharge,
AsstOfScFees,
AttendentTime,
AttendentCharge,
Total,
OtherChargesCode,
GrandToTal)
VALUES (@OutBillCode, @tempBillNo, @PatientName, @MobileNo, @Address, @BillDate, @BedFrom, @BedTo, @tempBedCharge, @OTType, @OTCharge, @OTMedicineCharge, @WardMedicineCharge, @MonitorUsed, @MonitorCharge, @OxygenUsed, @OxygenCharge, @PulltionUsed, @PulltionCharge, @ECGUsed, @ECGCharge, @PathologyCharge, @DressingType, @DressingCharge, @NebuligerUsed, @NebuligerCharge, @DoctorFees, @AnaesthisistCharge, @AsstOfScFees, @AttendentTime, @AttendentCharge, @TotalCharge, @OtherChargesCode, @GrandTotal);';
EXEC sp_executesql @sql,
N'@OutBillCode char(17), @tempBillNo char(7), @PatientName varchar(MAX), @MobileNo varchar(20), @Address varchar(MAX), @BillDate datetime, @BedFrom date, @BedTo date, @tempBedCharge decimal()18,2), @OTType char(3), @OTCharge decimal(18,2), @OTMedicineCharge decimal(18,2), @WardMedicineCharge decimal(18,2), @MonitorUsed int, @MonitorCharge decimal(18,2), @OxygenUsed int, @OxygenCharge decmial(18,2), @PulltionUsed int, @PulltionCharge decimal(18,2), @ECGUsed int, @ECGCharge decimal(18,2), @PathologyCharge decimal(18,2), @DressingType char(3), @DressingCharge decimal(18,2), @NebuligerUsed int, @NebuligerCharge decimal(18,2), @DoctorFees decimal(18,2), @AnaesthisistCharge decimal(18,2), @AsstOfScFees decimal(18,2), @AttendentTime int, @AttendentCharge decimal(18,2), @TotalCharge decimal(18,2), @OtherChargesCode char(5), @GrandTotal decimal(18,2)',
@OutBillCode = @OutBillCode,
@tempBillNo = @tempBillNo,
@PatientName = @PatientName,
@MobileNo = @MobileNo,
@Address = @Address,
@BillDate = @BillDate,
@BedFrom = @BedFrom,
@BedTo = @BedTo,
@tempBedCharge = @tempBedCharge,
@OTType = @OTType,
@OTCharge = @OTCharge,
@OTMedicineCharge = @OTMedicineCharge,
@WardMedicineCharge = @WardMedicineCharge,
@MonitorUsed = @MonitorUsed,
@MonitorCharge = @MonitorCharge,
@OxygenUsed = @OxygenUsed,
@OxygenCharge = @OxygenCharge,
@PulltionUsed = @PulltionUsed,
@PulltionCharge = @PulltionCharge,
@ECGUsed = @ECGUsed,
@ECGCharge = @ECGCharge,
@PathologyCharge = @PathologyCharge,
@DressingType = @DressingType,
@DressingCharge = @DressingCharge,
@NebuligerUsed = @NebuligerUsed,
@NebuligerCharge = @NebuligerCharge,
@DoctorFees = @DoctorFees,
@AnaesthisistCharge = @AnaesthisistCharge,
@AsstOfScFees = @AsstOfScFees,
@AttendentTime = @AttendentTime,
@AttendentCharge = @AttendentCharge,
@TotalCharge = @TotalCharge,
@OtherChargesCode = @OtherChargesCode,
@GrandTotal = @GrandTotal;