嗨,我是初学者,我有这个错误,我不知道什么是错的,任何人都可以帮助我 [英] Hi I'm A Beginner, And I Got This Error I Don't Know What's Wrong Anyone Can Help Me Please
问题描述
私有 Sub BtnDelete_Click(发件人 As System。 Object ,e As System.EventArgs)句柄 BtnDelete.Click
If MessageBox.Show( 你确定吗?, 删除 ,MessageBoxButtons.YesNo,MessageBoxIcon.Warning)= Windows.Forms.DialogResult.Yes 然后
cnsql = 删除TbProduct,其中ProductID =& ProductID&
cn = 新 SqlClient.SqlConnection(cnstr)
cn.Open()
cm = 新 SqlClient.SqlCommand(cnsql,cn)
dr = cm.ExecuteReader< ----错误!它表示无效的列名' &产品ID& '。
ShowData()
TxtProductNameD.Clear()
TxtProductpriceD.Clear()
BtnDelete.Enabled = False
其他
TxtProductNameD.Clear()
TxtProductpriceD.Clear()
BtnDelete.Enabled = < span class =code-keyword> False
结束 如果
结束 Sub
[edit]已添加代码块 - OriginalGriff [/ edit]
使用如下参数
cnsql = 从TbProduct中删除,其中ProductID = @ ProductID
cn =新的SqlClient.SqlConnection(cnstr)
cn.Open()
cm =新的SqlClient.SqlCommand(cnsql,cn)
cm.Parameters.AddWithValue( @ ProductID,ProductID)
dr = cm.ExecuteReader
cnsql = delete TbProduct where ProductID =&产品ID&
cn = 新 SqlClient.SqlConnection(cnstr)
cn.Open()
cm = < span class =code-keyword>新 SqlClient.SqlCommand(cnsql,cn)
dr = cm.ExecuteReader< ----错误!它表示无效的列名' & ProductID&'。嗯。
SQL DELETE操作不要返回SqlReader - 只有SELECT操作才能这样做 - 所以系统对你要做的事情感到困惑。
试试这个:
...
cm = 新 SqlClient.SqlCommand(cnsql,cn)
cm。 ExecuteScalar但字符串看起来也是错误的,即使你修复它:
cnsql = DELETE FROM TbProduct WHERE ProductID =& ProductID
您对SQL注入攻击持开放态度。连接str用于构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。改为使用参数化查询。
删除TbProduct ...更改为DELETE FROM TbProduct ... - 糟糕... [/ edit]
Private Sub BtnDelete_Click(sender As System.Object, e As System.EventArgs) Handles BtnDelete.Click
If MessageBox.Show("Are you sure?", "Delete", MessageBoxButtons.YesNo, MessageBoxIcon.Warning) = Windows.Forms.DialogResult.Yes Then
cnsql = "delete TbProduct where ProductID= "" & ProductID & """
cn = New SqlClient.SqlConnection(cnstr)
cn.Open()
cm = New SqlClient.SqlCommand(cnsql, cn)
dr = cm.ExecuteReader <----Error! it says Invalid column name ' & ProductID & '.
ShowData()
TxtProductNameD.Clear()
TxtProductpriceD.Clear()
BtnDelete.Enabled = False
Else
TxtProductNameD.Clear()
TxtProductpriceD.Clear()
BtnDelete.Enabled = False
End If
End Sub
[edit]Code block added - OriginalGriff[/edit]
Use parameter as below
cnsql = "delete from TbProduct where ProductID=@ProductID" cn = New SqlClient.SqlConnection(cnstr) cn.Open() cm = New SqlClient.SqlCommand(cnsql,cn) cm.Parameters.AddWithValue("@ProductID",ProductID) dr = cm.ExecuteReader
cnsql = "delete TbProduct where ProductID= "" & ProductID & """ cn = New SqlClient.SqlConnection(cnstr) cn.Open() cm = New SqlClient.SqlCommand(cnsql, cn) dr = cm.ExecuteReader <----Error! it says Invalid column name ' & ProductID & '.Um.
SQL DELETE operations do not return an SqlReader - only SELECT operations do that - so the system is confused as to what you are trying to do.
Try this instead:
... cm = New SqlClient.SqlCommand(cnsql, cn) cm.ExecuteScalar
But the string looks wrong as well, and even if you fix it:
cnsql = "DELETE FROM TbProduct WHERE ProductID= " & ProductIDYou are leavign yourself wide open to SQL injection attacks. Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
[edit]"delete TbProduct..." changed to "DELETE FROM TbProduct..." - Oops...[/edit]
这篇关于嗨,我是初学者,我有这个错误,我不知道什么是错的,任何人都可以帮助我的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!