Vb.net 运行程序时,在(cmd.executenonquery)上获取错误
试试这个Vb.net 运行程序时,在(cmd.executenonquery)上获取错误,vb.net,Vb.net,试试这个 Private Sub BtnSave_Click(sender As Object, e As EventArgs) Handles BtnSave.Click cn.Open() cmd = New SqlCommand("insert into CandTable(Passport_No,Name,Father Name,Mother Name,Date_of_Birth) values('" & Candi.TxtPass.Text &
Private Sub BtnSave_Click(sender As Object, e As EventArgs) Handles BtnSave.Click
cn.Open()
cmd = New SqlCommand("insert into CandTable(Passport_No,Name,Father
Name,Mother Name,Date_of_Birth) values('" & Candi.TxtPass.Text & "','" &
Candi.TxtName.Text & "', '" & Candi.TxtFather.Text & "', '" &
Candi.TxtMother.Text & "','" & Candi.TxtDob.Text & "')", cn)
cmd.ExecuteNonQuery()
cn.Close()
MsgBox("Data Saved Successfully")
End Sub
我还建议您考虑参数化SQL查询。参数化可以防止字符串中的引号和其他危险输入,从而使攻击者能够访问您的数据库。我可以想象这会起作用:为包含空格的字段名使用引号:ChrW(96)。试试这个:'父亲的名字','母亲的名字',我想,这也会产生一个错误。见我上面的评论。
Using sqlcon As New SqlConnection(strCaseConnString)
sbSql.Append("insert into CandTable(Passport_No,Name,[Father Name],[Mother Name],Date_of_Birth) values(@Passport_No,@Name,@FatherName,@MotherName,@Date_of_Birth")
Using sqlCmd As New SqlCommand(sbSql.ToString(), sqlcon)
sqlCmd.Parameters.Add("@Passport_No", SqlDbType.NVarChar).Value = Candi.TxtPass.Text
sqlCmd.Parameters.Add("@Name", SqlDbType.NVarChar).Value = Candi.TxtName.Text
sqlCmd.Parameters.Add("@FatherName", SqlDbType.NVarChar).Value = Candi.TxtFather.Text
sqlCmd.Parameters.Add("@MotherName", SqlDbType.NVarChar).Value = Candi.TxtMother.Text
sqlCmd.Parameters.Add("@Date_of_Birth", SqlDbType.NVarChar).Value = Candi.TxtDob.Text
sqlcon.Open()
sqlCmd.ExecuteNonQuery()
sqlcon.Close()
End Using
End Using