您的位置: 首页  >  技术问答  >  嗨,我是一名学生,我想知道如何纠正我的插入查询错误

嗨,我是一名学生,我想知道如何纠正我的插入查询错误

分类: 技术问答 2022-06-08 12:47:27
问题描述:

INSERT INTO语句中的语法错误



我尝试过:



Syntax error in INSERT INTO statement

What I have tried:

Protected Sub btnAdd_Click(sender As Object, e As EventArgs)
       Dim connectionstring As String

       Dim connstring As String = ("PROVIDER=Microsoft.Jet.OLEDB.4.0;Data Source = C:\Users\Mthobeli Gxavu\Documents\Customer2.mdb")


       connectionstring = "insert into CustomerDetais,CustomerHist(CustomerNumber,CustomerName,Email,PhoneNumber,AddressNumber,Surburb,City,PostalCode,PastPurchases,CurrentOrderAmount,DatePurchase,CustomerHist.CustomerNumber) values(" & txtCustNum.Text & ",'" & txtCustName.Text & "','" & txtEmail.Text & "','" & txtNumber.Text & "','" & txtNumberZone.Text & "','" & txtSurburb.Text & "','" & txtCity.Text & "','" & txtPostalCode.Text & "','" & txtPastPurchases.Text & "'," & txtOrderAmount.Text & ",'" & txtDate.Text & "'," & txtCustNum.Text & ")"
       Try

           Using connection As New OleDbConnection(connstring)

               connection.Open()

               Dim command As New OleDb.OleDbCommand(connectionstring, connection)


               command.Parameters.AddWithValue("@CustomerNumber", OleDbType.Integer).Value = txtCustNum.Text()
               command.Parameters.AddWithValue("@CustomerName", OleDbType.VarChar).Value = txtCustName.Text()
               command.Parameters.AddWithValue("@Email", OleDbType.VarChar).Value = txtEmail.Text()
               command.Parameters.AddWithValue("@PhoneNumber", OleDbType.VarChar).Value = txtNumber.Text()
               command.Parameters.AddWithValue("@AddressNumber", OleDbType.VarChar).Value = txtNumberZone.Text()
               command.Parameters.AddWithValue("@Surburb", OleDbType.VarChar).Value = txtSurburb.Text()
               command.Parameters.AddWithValue("@City", OleDbType.VarChar).Value = txtCity.Text()
               command.Parameters.AddWithValue("@PostalCode", OleDbType.VarChar).Value = txtPostalCode.Text()
               command.Parameters.AddWithValue("@PastPurchases", OleDbType.VarChar).Value = txtPastPurchases.Text()
               command.Parameters.AddWithValue("@CurrentOrderAmount", OleDbType.Double).Value = txtOrderAmount.Text()
               command.Parameters.AddWithValue("@DatePurchase", OleDbType.VarChar).Value = txtDate.Text()
               command.ExecuteNonQuery()

               connection.Close()
           End Using

       Catch ex As Exception
           MsgBox("info not saved" & ex.ToString)

       End Try
   End Sub

参考我的以前的解决方案,并对您的代码进行更改

insert statement vb.net,SQL参数化查询 [ ^ ]
refer my pervious solution and make the changes to your code
insert statement vb.net, SQL parameterised query [^]


永远不要通过连接用户输入来构建SQL查询,它被命名为SQL注入,它对您的数据库很容易并且容易出错。

名称中的单引号和程序崩溃。如果像Brian O'Conner这样的用户输入可能会使您的应用程序崩溃,那么这是一个SQL注入漏洞。

SQL注入 - 维基百科 [ ^ ]

SQL注入 [ ^ ]
Never build an SQL query by concatenating with user inputs, it is named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability.
SQL injection - Wikipedia[^]
SQL Injection[^]


相关推荐