Vb.net SQL语句结尾缺少分号(;)
我不知道分号应该放在哪里。这是我的密码:Vb.net SQL语句结尾缺少分号(;),vb.net,ms-access-2010,vb.net-2010,Vb.net,Ms Access 2010,Vb.net 2010,我不知道分号应该放在哪里。这是我的密码: Try cn.Open() Dim query As String = "INSERT INTO CheckoutTable(PatientID,_Name,_Age,_Gender,_Phone,_Address,_Disease,_DateIN,_DateOUT,_Building,_RoomNo,_RoomType,_UnitPrice,_Status,_MASP,_Price) VALUES('" & txtPID.Te
Try
cn.Open()
Dim query As String = "INSERT INTO CheckoutTable(PatientID,_Name,_Age,_Gender,_Phone,_Address,_Disease,_DateIN,_DateOUT,_Building,_RoomNo,_RoomType,_UnitPrice,_Status,_MASP,_Price) VALUES('" & txtPID.Text & "','" & txtName.Text & "','" & txtAge.Text & "','" & cmbGender.Text & "','" & txtPhone.Text & "','" & txtAddress.Text & "','" & txtDisease.Text & "',' " & txtDI.Text & " ',' " & txtDO.Text & " ','" & txtRT.Text & "','" & txtBuilding.Text & "','" & txtRN.Text & "',' " & txtMNS.Text & " ',' " & txtUnitPrice.Text & " ',' " & cmbStatus.Text & " ','" & txtPrice.Text & "')" & _
"DELETE From RegistrationTable where [_Name]='" & ListBox1.Text & "'" & _
"Select * from RegistrationTable"
Dim cmds As New OleDbCommand
With cmds
.CommandText = query
.Connection = cn
.ExecuteNonQuery()
End With
MsgBox("Checkout Success", MsgBoxStyle.Information)
cn.Close()
Catch ex As Exception
MsgBox(ex.Message)
End Try
@StingyJack是对的,如果我可以访问你的界面,我可以从周日开始以6种方式破坏你的db,因为你目前没有采取任何措施来缓解SQL注入。除了参数化您的查询以防止注入之外,我不再需要;在查询中每个DML语句的末尾,将它们分解为单独的命令。选择并显示其结果,我留给您。您是否尝试在SQL的每行末尾添加空格?例如,ListBox1.Text&“.”和“Select”之间没有空格。用“nonquery”执行Select肯定不是一个好主意。。。。好的,回答你的问题:在删除声明之前,你需要一个;您的insert也是如此,但是您将无法使用.ExecuteNonQuery()@ChrisPeacock()获取数据。先生,我已经解决了我的问题:)谢谢@我已经更改代码了,先生。在(插入查询、删除查询和我的列表框中显示项的代码)@princenhielcada中-在您上面的代码中,您接受用户输入而没有对其进行清理,因此您确实容易受到攻击。它可能会使代码行数增加一倍,但比OP中的“1行”更容易阅读。尽管如此,我不认为需要初始化
deleteQuery&ListBox1.TextTry
cn.Open()
Dim insertQuery as String = "INSERT INTO CheckoutTable(PatientID,_Name,_Age,_Gender,_Phone,_Address,_Disease,_DateIN,_DateOUT,_Building,_RoomNo,_RoomType,_UnitPrice,_Status,_MASP,_Price) " & _
"VALUES(@PatientID, @Name, @Age, @Gender, @Phone, @Address, @Disease , @DateIn, @DateOut, @Building, @RoomNo, @RoomType, @UnitPrice, @Status, @MASP, @Price) "
Dim deleteQuery as String = "DELETE From RegistrationTable where [_Name]= @RegName "
Dim selectQuery as String = "Select * from RegistrationTable"
Dim insertCmd As New OleDbCommand
Dim deleteCmd as New OleDbCommand
With insertCmd
.Connection = cn
.CommandText = insertQuery
.Parameters.AddWithValue("@PatientID", txtPID.Text)
.Parameters.AddWithValue("@Name", txtName.Text)
.Parameters.AddWithValue("@Age", txtAge.Text)
.Parameters.AddWithValue("@Gender", cmbGender.Text)
.Parameters.AddWithValue("@Phone", txtPhone.Text)
.Parameters.AddWithValue("@Address", txtAddress.Text)
.Parameters.AddWithValue("@Disease", txtDisease.Text)
.Parameters.AddWithValue("@DateIn", txtDI.Text)
.Parameters.AddWithValue("@DateOUT", txtDO.Text)
.Parameters.AddWithValue("@Building", txtBuilding.Text)
.Parameters.AddWithValue("@RoomNo", txtRN.Text)
.Parameters.AddWithValue("@RoomType", txtRT.Text)
.Parameters.AddWithValue("@UnitPrice", txtUnitPrice.Text)
.Parameters.AddWithValue("@MASP", txtMNS.Text)
.Parameters.AddWithValue("@Status", cmbStatus.Text)
.Parameters.AddWithValue("@Price", txtPrice.Text)
.ExecuteNonQuery()
End With
With deleteCmd
.Connection = cn
.CommandText = deleteQuery
.Parameters.AddWithValue("@RegName", ListBox1.Text)
.ExecuteNonQuery()
End With
MsgBox("Checkout Success", MsgBoxStyle.Information)
cn.Close()
Catch ex As Exception
MsgBox(ex.Message)
End Try