执行标量要求命令具有事务 [英] Execute scalar requires the command to have a transaction
问题描述
我的项目是用VB开发的,后端是mssql2005。我需要插入我的值,但它显示如下错误。当我点击保存按钮时显示此错误
My project is developed in VB and back end is mssql2005.I Need to insert my from values but it shows as following error.When i click Save Button It shows this error
ExecuteScalar requires the command to have a transaction when the connection assigned to the command is in a pending local transaction. The Transaction property of the command has not been initialized.
我尝试过:
这是我的代码。
公共函数ExecuteScalar(ByVal PstrSql As String)As Object
Dim objCmd As New SqlCommand
objCmd.CommandText = PstrSql.ToLower
objCmd.Connection = GCon
ExecuteScalar = objCmd.ExecuteScalar()
结束函数
What I have tried:
This is My Code.
Public Function ExecuteScalar(ByVal PstrSql As String) As Object
Dim objCmd As New SqlCommand
objCmd.CommandText = PstrSql.ToLower
objCmd.Connection = GCon
ExecuteScalar = objCmd.ExecuteScalar()
End Function
推荐答案
你的问题是你有一个全局连接对象,你在任何地方使用 - 在你的应用程序的某个地方,你不是完成一项行动。这可能是你没有关闭的读者,你没有承诺或回滚的交易,或者其他一些操作 - 我们无法分辨。
但是你不能完成新的DB操作,直到旧的操作完成,因为连接忙于旧的工作。
最好的方法是在需要时始终构建你的Connection对象它们位于使用块内,以便在完成连接后自动关闭和处置。
但是......代码并不好 - 仅仅将一个字符串传递给它就像SQL命令一样,这意味着你很容易受到SQL注入攻击,因为你没有提供将参数传递给查询的机制 - 所以你可能会这么做类似
Your problem is that you have a global connection object that you use everywhere - and somewhere in your app you are not "completing" an operation. That may be a Reader you don't close, a Transaction you haven't Committed or Rolled back, or some other operation - we can't tell.
But you can't complete the new DB operation until the old one is finished because the connection is busy with the "old" job.
The best way round this is to always construct your Connection objects when you need them inside aUsingblock so that the Connection is automatically Closed and Disposed when you are finished with it.
But ... that code is not good - the mere fact that you pass just a string to it as an SQL Command implies that you are vulnerable to SQL Injection, because you provide no mechanism to pass parameters to the query - so you probably do something like
Dim result As Integer = ExecuteScalar("SELECT stockLevel FROM Stock WHERE productName = '" & prodName.Text & "'")这非常糟糕。
永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。总是使用参数化查询。
连接字符串时会导致问题,因为SQL会收到如下命令:
And that's very bad.
Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.
When you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'就SQL而言,用户添加的引号会终止字符串,并且您会遇到问题。但情况可能更糟。如果我来并改为输入:x'; DROP TABLE MyTable; - 然后SQL收到一个非常不同的命令:
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'哪个SQL看作三个单独的命令:
Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';完全有效的SELECT
A perfectly valid SELECT
DROP TABLE MyTable;完全有效的删除表格通讯和
A perfectly valid "delete the table" command
--'其他一切都是评论。
所以它确实:选择任何匹配的行,从数据库中删除表,并忽略其他任何内容。
所以总是使用参数化查询!或者准备好经常从备份中恢复数据库。你定期做备份,不是吗?
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.
So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
这篇关于执行标量要求命令具有事务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
