获取数据不匹配类型错误 [英] Getting data mismatch type error
本文介绍了获取数据不匹配类型错误的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
这是我的代码。
OleDbConnection con1 = new OleDbConnection(con);
con1.Open();
OleDbCommand cmd = new OleDbCommand( insert到reimb值(' + frm_date.Text + ',' + txt_todate .Text + ',' + dd1.SelectedItem.Value + ',' + people_num.Text + ',' + remarks.Text + ',' + bill_num.Text + ',' + bill_amount.Text + '),con1);
cmd.ExecuteNonQuery();
Response.Write( 保存数据);
con1.Close();
可能因为约会而告诉我应该更改什么..
我尝试了什么:
我试过直接从日历中获取值,甚至尝试存储将选定的日历日期放入文本框并以ms-access保存文本框的值,但仍然表示数据不匹配
解决方案
首先,不要使用连接字符串构造你的SQL查询。它让你对SQL注入开放。
其次,修复它是使用参数化查询(参见查询参数化备忘单 - OWASP [ ^ ])
参数化查询也可以帮助您克服这样的问题。
最后 - 日期总是使用明确的日期格式(参见 Jamie Thomson:明确的日期格式:T-SQL周二#001 [ ^ ])这也将帮助你克服这个问题
这是因为Access需要#的ar比较日期,而不是单引号。但是,这种将字符串连接在一起的方法是一种巨大的安全风险,称为Sql注入。如果您更改代码以使用参数,那么这将正常工作并且安全。
cmd = new OleDbCommand( 插入reimb值(@ field1,@ field2,@ field3);
cmd.Parameters.AddWithValue( @ field1,frm_date.Text);
...
停止这样做!
不要连接字符串来构建SQL命令。它会让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏整个数据库。改为使用参数化查询。
将用户输入处理为适当的数据类型 - 例如使用DateTime.TryParse将字符串转换为DateTime值 - 并通过参数直接传递这些实际值。您应该找到你的问题同时消失了。
顺便说一句:在你的INSERT统计中列出你计划插入teh值的列是个好主意ement:这样你的数据库就有可能不会导致代码崩溃或者更糟糕地在错误的列中输入数据...
INSERT INTO MyTable(Column1Name,Column2Name) VALUES (....
here is my code.
OleDbConnection con1 = new OleDbConnection(con);
con1.Open();
OleDbCommand cmd = new OleDbCommand("insert into reimb values('" +frm_date.Text + "','" + txt_todate.Text + "','"+dd1.SelectedItem.Value+"','"+people_num.Text+"','"+remarks.Text+"','"+bill_num.Text+"','"+bill_amount.Text+"')", con1);
cmd.ExecuteNonQuery();
Response.Write("Data saved");
con1.Close();
it may be because of date but tell me what should I change..
What I have tried:
I have tried directly picking up the value from calendar and even tried by storing the selected date of calendar into a text box and saving the values of text box in ms-access but it still says data mismatch
解决方案
Firstly, do not use concatenated strings to construct your sql query. It leaves you open to SQL Injection.
Secondly, the fix for that is to use Parameterized Queries (see Query Parameterization Cheat Sheet - OWASP[^])
Parameterized queries will also help you to overcome problems like this.
Lastly - with Dates always use Unambiguous Date formats (see Jamie Thomson : Unambiguous date formats : T-SQL Tuesday #001[^]) which will also help you get over this problem
It is because Access wants #'s around the dates, instead of single quotes. However, this method of concatenating strings together is a huge security risk called Sql injection. If you change your code to use Parameters instead this will work fine and be secure.
cmd = new OleDbCommand("insert into reimb values(@field1, @field2, @field3"); cmd.Parameters.AddWithValue("@field1", frm_date.Text); ...
Stop doing that!
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
Process your user inputs into appropriate datatypes - use DateTime.TryParse to convert strings to DateTime values for example - and pass those "real" values directly via parameters. You should find your problem disappears at the same time.
BTW: It's a very good idea to list the columns you are planning on insertign teh values to in your INSERT statement: that way chances to your DB don;t cause your code to craash or worse enter data in the wrong columns...
INSERT INTO MyTable (Column1Name, Column2Name) VALUES (....
这篇关于获取数据不匹配类型错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
