我收到错误“没有给出一个或多个所需参数的值” [英] I'm getting an error "no value given for one or more required parameters"
问题描述
Dim cmd As New OleDb.OleDbCommand
If MainAdmin.DataGridView4.Rows.Count > 0 Then
If MainAdmin.DataGridView4.SelectedRows.Count > 0 Then
Dim strStdID As String = MainAdmin.DataGridView4.SelectedRows(0).Cells("Username").Value
'open connection
If Not cnn.State = ConnectionState.Open Then
cnn.Open()
End If
'delete data
cmd.Connection = cnn
cmd.CommandText = "DELETE FROM DAdmin WHERE Username =" & strStdID
cmd.ExecuteNonQuery()
End If
End If
cnn.Close()
我尝试了什么:
请帮我调试这行代码
What I have tried:
Please help me debug this line of codes
推荐答案
如果strStdID是Joe Bloggs那么你正在执行什么SQL?
If strStdID is "Joe Bloggs" then what SQL are you executing?
DELETE FROM DAdmin WHERE Username = Joe Bloggs
这是有效的SQL吗?如果您的用户名为我或1 = 1,那么您的SQL将是
Is that valid SQL? What if your username was "me or 1=1" then your SQL would be
DELETE FROM DAdmin WHERE Username = me or 1 = 1
接下来会发生什么? (谷歌小武器表的线索)。
您需要将文本参数放在引号中,但最好的方法是使用参数并让ado.net为你排序
what would happen then? (Google "little bobby tables" for a clue).
You need to put text parameters in quotes, however the best way of doing this is to use parameters and let ado.net sort it out for you
cmd.CommandText = "DELETE FROM DAdmin WHERE Username = @userID";
cmd.Parameters.AddWithValue ("@userID", strStdID);
cmd.ExecuteNonQuery()
如果仍然出现错误,可能是因为用户名是保留字,所以你可能会需要使用方括号让数据库知道你的意思是列名而不是保留字
If you still get the error it could be because Username is a reserved word so you might need to use square brackets to let the database know you mean the column name and not the reserved word
cmd.CommandText = "DELETE FROM DAdmin WHERE [Username] = @userID";
您应该使用参数化查询 [ ^ ]以防止 SQL注入 [ ^ ],它也将消除错误,即'strStdID'周围缺少引号,即
You should be using Parameterized Queries[^] to prevent SQL injection[^], and it will also eliminate the error which is the missing quotes around 'strStdID', i.e.
cmd.CommandText = "DELETE FROM DAdmin WHERE Username ='" & strStdID & "'"
看起来你忘了告诉strStdID
是一个字符串
Looks like you forgot to tell thatstrStdID
is a string
cmd.CommandText = "DELETE FROM DAdmin WHERE Username = '" & strStdID & "'"
这篇关于我收到错误“没有给出一个或多个所需参数的值”的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!