正在获取要更新的SQL Server数据库项?VB.NET
我在更新SQL Server数据库时遇到问题。我认为语法有问题,但我不确定 我甚至试着在SQLServer中编写它,但仍然看到“语法”错误,但我不知道语法有什么问题!每隔一段时间,当我输入基本相同的代码时,它就会工作,没有任何变化。。。是吗?哈哈正在获取要更新的SQL Server数据库项?VB.NET,sql,sql-server,vb.net,Sql,Sql Server,Vb.net,我在更新SQL Server数据库时遇到问题。我认为语法有问题,但我不确定 我甚至试着在SQLServer中编写它,但仍然看到“语法”错误,但我不知道语法有什么问题!每隔一段时间,当我输入基本相同的代码时,它就会工作,没有任何变化。。。是吗?哈哈 Private Sub Button8_Click(sender As System.Object, e As System.EventArgs) Handles Button8.Click 'update salesperson button
Private Sub Button8_Click(sender As System.Object, e As System.EventArgs) Handles Button8.Click
'update salesperson button
Dim myconnection As New SqlConnection("server=classified;database=classified")
myconnection.Open()
Dim mycommand As SqlCommand
Dim theQuery As String = "SELECT * FROM Salespeople WHERE [First Name]=@FirstName AND [Last Name]=@LastName AND [Home Address]=@HomeAddress AND City=@City AND State=@State AND [Phone Number]=@PhoneNumber"
Dim repeatChecker As SqlCommand = New SqlCommand(theQuery, myconnection)
'mycommand.ExecuteNonQuery()
If TextBox6.Text = "" Then
MsgBox("You must add a first name.", MsgBoxStyle.Exclamation)
ElseIf TextBox7.Text = "" Then
MsgBox("You must add a last name.", MsgBoxStyle.Exclamation)
ElseIf TextBox8.Text = "" Then
MsgBox("You must add a home address.", MsgBoxStyle.Exclamation)
ElseIf TextBox9.Text = "" Then
MsgBox("You must add a city.", MsgBoxStyle.Exclamation)
ElseIf TextBox10.Text.Length <> 2 Then
MsgBox("State abbreviation needed.", MsgBoxStyle.Exclamation)
ElseIf TextBox11.Text = "" Or TextBox12.Text = "" Or TextBox13.Text = "" Then
MsgBox("Please ensure you have entered a valid telephone number: (XXX) (XXX) (XXXX).", MsgBoxStyle.Exclamation)
ElseIf Firs.IsInputNumeric(TextBox11.Text) = False Or Firs.IsInputNumeric(TextBox12.Text) = False Or Firs.IsInputNumeric(TextBox13.Text) = False Then
MsgBox("Please ensure you have entered a valid telephone number: (XXX) (XXX) (XXXX).", MsgBoxStyle.Exclamation)
ElseIf TextBox11.Text.Length <> 3 Or TextBox12.Text.Length <> 3 Or TextBox13.Text.Length <> 4 Then
MsgBox("Please ensure you have entered a valid telephone number: (XXX) (XXX) (XXXX).", MsgBoxStyle.Exclamation)
Else
repeatChecker.Parameters.Add("@FirstName", SqlDbType.VarChar).Value = Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox6.Text)
repeatChecker.Parameters.Add("@LastName", SqlDbType.VarChar).Value = Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox7.Text)
repeatChecker.Parameters.Add("@HomeAddress", SqlDbType.VarChar).Value = Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox8.Text)
repeatChecker.Parameters.Add("@City", SqlDbType.VarChar).Value = Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox9.Text)
repeatChecker.Parameters.Add("@State", SqlDbType.VarChar).Value = TextBox10.Text.ToUpper
repeatChecker.Parameters.Add("@PhoneNumber", SqlDbType.VarChar).Value = TextBox11.Text + "-" + TextBox12.Text + "-" + TextBox13.Text
Using reader As SqlDataReader = repeatChecker.ExecuteReader()
If reader.HasRows Then
' User already exists
MsgBox("This salesperson already exists in the database.", MsgBoxStyle.Exclamation)
Else
reader.Close()
mycommand = New SqlCommand("UPDATE Salespeople SET [First Name]='" + Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox6.Text) + "', [Last Name]='" + Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox7.Text) + "', [Home Address]='" + Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox8.Text) + "', City='" + Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox9.Text) + "', State='" + TextBox10.Text.ToUpper + "', [Phone Number]='" + TextBox11.Text + "-" + TextBox12.Text + "-" + TextBox13.Text + "' WHERE [First Name]=@FirstName, [Last Name]=@LastName, [Home Address]=@HomeAddress, City=@City, State=@State, [Phone Number]=@PhoneNumber)", myconnection)
mycommand.ExecuteNonQuery()
BindGridSalespeople()
TabControl1.SelectTab(0)
Dim FirstNameDisplay As String = Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox1.Text)
Dim LastNameDisplay As String = Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox2.Text)
MsgBox("Salesperson " + FirstNameDisplay + " " + LastNameDisplay + " successfully added.")
End If
End Using
myconnection.Close()
End If
End Sub
我的登录表单是否正确且没有SQL注入攻击?
Private Sub Button1_Click(sender As System.Object, e As System.EventArgs) Handles Button1.Click
Dim myconnection As New SqlConnection("server=CLASSIFIED;database=classified")
myconnection.Open()
Dim loginQuery As String = " SELECT Username, Password FROM Accounts WHERE (Username = @Username) AND (Password = @Password)"
Dim loginCommand As SqlCommand = New SqlCommand(loginQuery, myconnection)
loginCommand.Parameters.Add("@Username", SqlDbType.VarChar).Value = TextBox1.Text
loginCommand.Parameters.Add("@Password", SqlDbType.VarChar).Value = TextBox2.Text
Using reader As SqlDataReader = loginCommand.ExecuteReader()
If reader.HasRows Then
' User already exists
MsgBox("Logged in successfully as " & TextBox1.Text, MsgBoxStyle.Information)
Firs.Show()
Else
MsgBox("Invalid username or password.", MsgBoxStyle.Critical)
End If
End Using
myconnection.Close()
End Sub
除了注释推荐的结构更改外,WHERE子句还存在一些问题。1:删除PhoneNumber参数后的括号。2:不同的Where子句应以“AND”分隔,而不是逗号
"' WHERE [First Name]=@FirstName, [Last Name]=@LastName, [Home Address]=@HomeAddress, City=@City, State=@State, [Phone Number]=@PhoneNumber)", myconnection)
"' WHERE [First Name]=@FirstName AND [Last Name]=@LastName AND [Home Address]=@HomeAddress AND City=@City AND State=@State AND [Phone Number]=@PhoneNumber", myconnection)
为什么要混合字符串连接和准备语句。。。?您还没有告诉我们语法错误是什么,但我认为这与您从文本框中注入的值有关。只需对整个查询使用参数。对于insert/update语句,您应该始终使用准备好的语句,而不是原始SQL连接。。。这就是为什么。这听起来可能很愚蠢,但是你能告诉我准备好的语句是代码的哪一部分,字符串连接是哪一部分吗?多么混乱的代码:3@0as9d8g7as:您看到了分配给查询的字符串是如何连续的,而不是将几个字符串拼凑在一起的吗?在其中,您可以定义下面填充的参数名称。这是做这件事的“正确”方法。将其与您在
myCommand"' WHERE [First Name]=@FirstName AND [Last Name]=@LastName AND [Home Address]=@HomeAddress AND City=@City AND State=@State AND [Phone Number]=@PhoneNumber", myconnection)