vb.net在一个查询中将多个SQL值设置为同一行
我有下面的代码,它将在同一行中设置2个值,这非常简单,但我不知道如何将其组合到一个查询中vb.net在一个查询中将多个SQL值设置为同一行,sql,vb.net,set,sql-update,Sql,Vb.net,Set,Sql Update,我有下面的代码,它将在同一行中设置2个值,这非常简单,但我不知道如何将其组合到一个查询中 Dim cnn As New SqlConnection Dim sqlcmd As New SqlCommand("SELECT catalogid, delivered,nodilivary FROM supporder", cnn) sqlcmd.CommandText = "update supporder SET delivered=@delive
Dim cnn As New SqlConnection
Dim sqlcmd As New SqlCommand("SELECT catalogid, delivered,nodilivary FROM supporder", cnn)
sqlcmd.CommandText = "update supporder SET delivered=@delivered WHERE catalogid=@catalogid"
sqlcmd.Parameters.Add(New SqlParameter("@delivered", GridControl2.GetCellValue(currentrowindex, "delivered")))
sqlcmd.Parameters.Add(New SqlParameter("@catalogid", GridControl2.GetCellValue(currentrowindex, "catalogid")))
cnn.Open()
sqlcmd.ExecuteNonQuery()
sqlcmd.Parameters.Clear()
cnn.Close()
sqlcmd.CommandText = "update supporder SET nodilivary=@nodilivary WHERE catalogid=@catalogid"
sqlcmd.Parameters.Add(New SqlParameter("@nodilivary", GridControl2.GetCellValue(currentrowindex, "nodilivary")))
sqlcmd.Parameters.Add(New SqlParameter("@catalogid", GridControl2.GetCellValue(currentrowindex, "catalogid")))
cnn.Open()
sqlcmd.ExecuteNonQuery()
sqlcmd.Parameters.Clear()
cnn.Close()
使用逗号分隔要更新的每个字段
UPDATE supporder SET nodilivary=@nodilivary, delivered=@delivered WHERE catalogid=@catalogid
使用逗号分隔要更新的每个字段
UPDATE supporder SET nodilivary=@nodilivary, delivered=@delivered WHERE catalogid=@catalogid
试试这个:
Dim cnn As New SqlConnection
Dim sql as String = string.Format("update supporder set delivered={0}, nodilivary={1} where catalogid={2}", _
GridControl2.GetCellValue(currentrowindex, "delivered") _
GridControl2.GetCellValue(currentrowindex, "nodilivary") _
GridControl2.GetCellValue(currentrowindex, "catalogid") )
Dim sqlcmd As New Sqlsql, cnn)
cnn.Open()
sqlcmd.ExecuteNonQuery()
sqlcmd.Parameters.Clear()
cnn.Close()
我手头没有VB,但这应该非常接近
编辑:
这是上面使用命令参数的版本,它(感谢您的评论)是一个简单的SQL注入,比上面的代码更安全:
Dim cnn As New SqlConnection
Dim sql as String = "update supporder set delivered=@delivered, nodilivary=@nodilivary where catalogid=@catalogid"
Dim sqlcmd As New Sql(sql, cnn)
sqlcmd.Parameters.Add(New SqlParameter("@delivered", GridControl2.GetCellValue(currentrowindex, "delivered"))
sqlcmd.Parameters.Add(New SqlParameter("@nodilivary", GridControl2.GetCellValue(currentrowindex, "nodilivary"))
sqlcmd.Parameters.Add(New SqlParameter("@catalogid", GridControl2.GetCellValue(currentrowindex, "catalogid"))
cnn.Open()
sqlcmd.ExecuteNonQuery()
sqlcmd.Parameters.Clear()
cnn.Close()
试试这个:
Dim cnn As New SqlConnection
Dim sql as String = string.Format("update supporder set delivered={0}, nodilivary={1} where catalogid={2}", _
GridControl2.GetCellValue(currentrowindex, "delivered") _
GridControl2.GetCellValue(currentrowindex, "nodilivary") _
GridControl2.GetCellValue(currentrowindex, "catalogid") )
Dim sqlcmd As New Sqlsql, cnn)
cnn.Open()
sqlcmd.ExecuteNonQuery()
sqlcmd.Parameters.Clear()
cnn.Close()
我手头没有VB,但这应该非常接近
编辑:
这是上面使用命令参数的版本,它(感谢您的评论)是一个简单的SQL注入,比上面的代码更安全:
Dim cnn As New SqlConnection
Dim sql as String = "update supporder set delivered=@delivered, nodilivary=@nodilivary where catalogid=@catalogid"
Dim sqlcmd As New Sql(sql, cnn)
sqlcmd.Parameters.Add(New SqlParameter("@delivered", GridControl2.GetCellValue(currentrowindex, "delivered"))
sqlcmd.Parameters.Add(New SqlParameter("@nodilivary", GridControl2.GetCellValue(currentrowindex, "nodilivary"))
sqlcmd.Parameters.Add(New SqlParameter("@catalogid", GridControl2.GetCellValue(currentrowindex, "catalogid"))
cnn.Open()
sqlcmd.ExecuteNonQuery()
sqlcmd.Parameters.Clear()
cnn.Close()
这难道不是sql注入的一个可能的开端吗?假设文本可能在这些数据网格单元中?@pilotcam是的,它会。但是我假设UI和命令之间会有更多的层。读了一些书后,我发现使用参数是一种简单的方法来帮助解决这个问题。更正了答案-谢谢!这难道不是sql注入的一个可能的开端吗?假设文本可能在这些数据网格单元中?@pilotcam是的,它会。但是我假设UI和命令之间会有更多的层。读了一些书后,我发现使用参数是一种简单的方法来帮助解决这个问题。更正了答案-谢谢!