运营商'&'没有为类型'String'和'System.Windows.Forms.ComboBox'定义。问题 [英] Operator '&' is not defined for types 'String' and 'System.Windows.Forms.ComboBox'. problem

问题描述

嘿我试图在这里从vb插入数据到数据库。所以第一个数据来自文本框，而其他5个数据来自组合框，我已经通过vb将unbount值插入其中。因此，当我尝试调试程序时，发生以下声明的错误。任何人都可以告诉我的代码有什么问题，或者我可能会错过什么？谢谢你的帮助。 ：D

  Dim  rs  As  < span class =code-keyword>新 OleDb.OleDbCommand（ 插入table1（id，control1） ，control2，control2，control3，control4，control5）values（'& TextBox1.Text&  '，'& 我 .ComboBox1&  '，'& 我 .ComboBox2&  < span class =code-string>'，'&  Me  .ComboBox3&  '，'&  Me  .ComboBox4&  '，'& 我 .Combo Box5&  '），con）

解决方案

ComboBox1 是（引用） Control ，而字符串是预期的那里（例如 ComboBox1.SelectedItem.ToString（））。

当然，你也应该遵循有关使用参数化查询的建议。

当然组合框不能转换成字符串，所以你甚至抱怨错误很奇怪。可能你的意思是组合框所选项目的文本。



但你的方法从一开始就是错误的。通过串联从UI获取的字符串组成的查询。不仅重复的字符串连接是低效的（因为字符串是不可变的;我是否必须解释为什么它会使重复连接变坏？），但是有更重要的问题：它打开了通向良好的大门已知的漏洞称为 SQL注入。



这是它的工作原理： http://xkcd.com/327 。



你明白了吗？从控件中获取的字符串可以是任何东西，包括......一段SQL代码。



怎么办？只需阅读有关此问题和主要补救措施：参数化语句： http://en.wikipedia.org/ wiki / SQL_injection 。



使用ADO.NET，使用：http://msdn.microsoft.com/en-us/library/ff648339.aspx 。



请参阅我过去的答案有更多细节：

在com.ExecuteNonQuery中更新EROR（ ）; ，

嗨名字没有显示在名称中？。

-SA

hey im trying to insert data into database from vb here. so the first data is from textbox while the other 5 data are from combobox where i've already insert the unbount value into it through vb. so when i try to debug the program, the following stated error occured. anybody can tell whats wrong with my code or maybe i miss something? thanks for your help. :D

Dim rs As New OleDb.OleDbCommand("Insert into table1 (id, control1, control2, control2, control3, control4, control5) values('" & TextBox1.Text & "', '" & Me.ComboBox1 & "', '" & Me.ComboBox2 & "', '" & Me.ComboBox3 & "', '" & Me.ComboBox4 & "', '" & Me.ComboBox5 & "')", con)

解决方案

ComboBox1 is (a reference to) a Control, while a string is expected there (e.g. ComboBox1.SelectedItem.ToString()).
Of course, you should also follow the advice on using parameterized queries.

Of course combo box cannot be converted to string, so it's strange that you even complain about the error. Probably you mean the text of the combo box selected item.

But your approach is wrong from the very beginning. The query composed by concatenation with strings taken from UI. Not only repeated string concatenation is inefficient (because strings are immutable; do I have to explain why it makes repeated concatenation bad?), but there is way more important issue: it opens the doors to a well-known exploit called SQL injection.

This is how it works: http://xkcd.com/327.

Are you getting the idea? The string taken from a control can be anything, including… a fragment of SQL code.

What to do? Just read about this problem and the main remedy: parametrized statements: http://en.wikipedia.org/wiki/SQL_injection.

With ADO.NET, use this: http://msdn.microsoft.com/en-us/library/ff648339.aspx.

Please see my past answers for some more detail:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.

—SA

这篇关于运营商'&'没有为类型'String'和'System.Windows.Forms.ComboBox'定义。问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！