我收到错误“没有给出一个或多个所需参数的值” [英] I'm getting an error "no value given for one or more required parameters"

查看:92
本文介绍了我收到错误“没有给出一个或多个所需参数的值”的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

Dim cmd As New OleDb.OleDbCommand
       If MainAdmin.DataGridView4.Rows.Count > 0 Then
           If MainAdmin.DataGridView4.SelectedRows.Count > 0 Then
               Dim strStdID As String = MainAdmin.DataGridView4.SelectedRows(0).Cells("Username").Value
               'open connection
               If Not cnn.State = ConnectionState.Open Then
                   cnn.Open()
               End If
               'delete data
               cmd.Connection = cnn
               cmd.CommandText = "DELETE FROM DAdmin WHERE Username =" & strStdID
               cmd.ExecuteNonQuery()
           End If
       End If
       cnn.Close()





我尝试了什么:



请帮我调试这行代码



What I have tried:

Please help me debug this line of codes

推荐答案

如果strStdID是Joe Bloggs那么你正在执行什么SQL?



If strStdID is "Joe Bloggs" then what SQL are you executing?

DELETE FROM DAdmin WHERE Username = Joe Bloggs





这是有效的SQL吗?如果您的用户名为我或1 = 1,那么您的SQL将是





Is that valid SQL? What if your username was "me or 1=1" then your SQL would be

DELETE FROM DAdmin WHERE Username = me or 1 = 1



接下来会发生什么? (谷歌小武器表的线索)。



您需要将文本参数放在引号中,但最好的方法是使用参数并让ado.net为你排序




what would happen then? (Google "little bobby tables" for a clue).

You need to put text parameters in quotes, however the best way of doing this is to use parameters and let ado.net sort it out for you

cmd.CommandText = "DELETE FROM DAdmin WHERE Username = @userID";
cmd.Parameters.AddWithValue ("@userID", strStdID);
cmd.ExecuteNonQuery()





如果仍然出现错误,可能是因为用户名是保留字,所以你可能会需要使用方括号让数据库知道你的意思是列名而不是保留字





If you still get the error it could be because Username is a reserved word so you might need to use square brackets to let the database know you mean the column name and not the reserved word

cmd.CommandText = "DELETE FROM DAdmin WHERE [Username] = @userID";


您应该使用参数化查询 [ ^ ]以防止 SQL注入 [ ^ ],它也将消除错误,即'strStdID'周围缺少引号,即
You should be using Parameterized Queries[^] to prevent SQL injection[^], and it will also eliminate the error which is the missing quotes around 'strStdID', i.e.
cmd.CommandText = "DELETE FROM DAdmin WHERE Username ='" & strStdID & "'"


看起来你忘了告诉 strStdID 是一个字符串

Looks like you forgot to tell that strStdID is a string
cmd.CommandText = "DELETE FROM DAdmin WHERE Username = '" & strStdID & "'"


这篇关于我收到错误“没有给出一个或多个所需参数的值”的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发语言最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆