尝试执行commandquery时发生SQL错误
运行下面的代码时,我不断收到错误消息:尝试执行commandquery时发生SQL错误,sql,vb.net,ms-access,Sql,Vb.net,Ms Access,运行下面的代码时,我不断收到错误消息:查询表达式中的语法错误(缺少运算符)。我做错了什么 con = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Database1.accdb" connOledb.ConnectionString = con connOledb.Open() command = New OleDb.OleDbCommand("INSERT INTO Artikels VALUES('1'," + txtOmsch.Te
查询表达式中的语法错误(缺少运算符)
。我做错了什么
con = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Database1.accdb"
connOledb.ConnectionString = con
connOledb.Open()
command = New OleDb.OleDbCommand("INSERT INTO Artikels VALUES('1'," + txtOmsch.Text + _
"','" + txtCat.Text + "','" + txtAPE.Text + _
"','" + txtMarge.Text + "','" + txtVPE.Text + _
"','" + txtEen.Text + "','" + txtLen.Text + _
"','" + txtBreed.Text + "','" + txtDiep.Text + _
txtOmsch.Text + "');")
command.Connection = connOledb
command.ExecuteNonQuery()
第二个值缺少一个引号。试试这个
command = New OleDb.OleDbCommand("INSERT INTO Artikels VALUES('1','" + txtOmsch.Text + _
"','" + txtCat.Text + "','" + txtAPE.Text + _
"','" + txtMarge.Text + "','" + txtVPE.Text + _
"','" + txtEen.Text + "','" + txtLen.Text + _
"','" + txtBreed.Text + "','" + txtDiep.Text + _
txtOmsch.Text + "');")
您的代码易受sql注入攻击,请使用参数化查询,因为您使用的是ADO.NET
,最好尝试下面的代码
Dim con As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Database1.accdb"
Dim query As String = "INSERT INTO Artikels VALUES(@val1, @Omsch, @Cat, @Ape, @VPE, @Een, @len, @breed, @diep,@Omsch)")
Using connOledb As New OleDbConnection(con)
Using command As New OleDbCommand()
With command
.Connection = con
.CommandType = CommandType.Text
.CommandText = query
.Parameters.AddWithValue("@val1",1)
.Parameters.AddWithValue("@Omsch",txtOmsch.Text)
.Parameters.AddWithValue("@Cat",txtCat.Text)
.Parameters.AddWithValue("@Ape",txtAPE.Text)
.Parameters.AddWithValue("@VPE",txtVPE.Text)
.Parameters.AddWithValue("@Een",txtEen.Text )
.Parameters.AddWithValue("@len",txtLen.Text)
.Parameters.AddWithValue("@breed",txtBreed.Text)
.Parameters.AddWithValue("@diep",txtDiep.Text)
End with
Try
connOledb.Open()
command.ExecuteNonQuery()
Catch(ex as OleDBException)
Msgbox(ex.Message.Tostring())
End Try
End Using
End Using
或添加
.Add("@Omsch", OleDbType.VarChar, 30).Value = txtOmsch.Text
第二列周围的第一个“标记”缺失
con = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Database1.accdb"
connOledb.ConnectionString = con
connOledb.Open()
command = New OleDb.OleDbCommand("INSERT INTO Artikels VALUES('1','" + txtOmsch.Text + _
"','" + txtCat.Text + "','" + txtAPE.Text + _
"','" + txtMarge.Text + "','" + txtVPE.Text + _
"','" + txtEen.Text + "','" + txtLen.Text + _
"','" + txtBreed.Text + "','" + txtDiep.Text + _
txtOmsch.Text + "');")
command.Connection = connOledb
command.ExecuteNonQuery()
警告:您的代码易受sql注入攻击!我必须同意丹尼尔的观点。您正在创建一个安全问题。您应该使用参数来构造命令,而不是构建SQL字符串。您知道吗?不喜欢.AddWithValue()。。。它有一些潜在的破坏性能的副作用。我更希望看到他使用.Add()选项来请求特定类型。但是为了演示参数的用法,不管怎样+1:至少安全问题已经解决了。@JoelCoehoorn我当然同意你的看法。我只是想演示如何在查询中添加参数。我想我会把它留给OP。你觉得怎么样?嘿,谢谢你的快速回答,我会尽快尝试sql安全版本的代码,然后我会回来报告:)