'from子句中的语法错误。' VB.NET - 访问 [英] 'Syntax error in from clause.' VB.NET - access

问题描述

首先，当它显示此错误时

i确实在 From 声明之前放了[* FROM]

例如：[删除student_id * FROM 学生]



仍然不起作用



可以有人请帮我这个



我尝试过：

At first, when it showed this error
i did put [*FROM] before the From statement
e.g: ["Delete student_id *FROM student]

Still it doesn't work

Can someone pls help me on this

What I have tried:

Private Sub btndelete_Click_1(sender As Object, e As EventArgs) Handles btndelete.Click
        cmdDelete.CommandText = "Delete [student_id] FROM student as S1 join payment as S2 on S1.student_id=S2.student_id where S1.student_id=(" + txtsid.Text + ");"
        cmdDelete.CommandType = CommandType.Text
        cmdDelete.Connection = cnnOLEDB
        cmdDelete.ExecuteNonQuery()
        MessageBox.Show("Are You Sure You Want To Delete?", "Deletion", MessageBoxButtons.YesNo, MessageBoxIcon.Question)
        If DialogResult.Yes Then
            UserHomepage.Show()
            Me.Hide()
        ElseIf DialogResult.No Then
            Me.Show()
            UserHomepage.Hide()
            lblname.Hide()
            txtsid.ResetText()
        End If
    End Sub

推荐答案

如错误所示，您的 DELETE 语法不正确。



您的代码也容易受到 SQL注入 [ ^ 。 从不使用字符串连接来构建SQL查询。 总是使用参数化查询。



您可能想询问用户是否要删除记录 BEFORE 你实际上删除了记录！ :)

As the error says, your DELETE syntax is incorrect.

Your code is also vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

And you probably want to ask the user whether or not they want to delete the record BEFORE you actually delete the record! :)

cmdDelete.CommandText = "Delete student.* FROM student as S1 join payment as S2 on S1.student_id=S2.student_id where S1.student_id = ?"
cmdDelete.Parameters.AddWithValue("sid", txtsid.Text)

编辑：正如解决方案3中所指出的，Access不支持 DELETE 语句中的连接：

删除声明（Microsoft Access SQL） [ ^ ]

As pointed out in solution 3, Access doesn't support joins in the DELETE statement:
DELETE Statement (Microsoft Access SQL)[^]

cmdDelete.CommandText = "DELETE * FROM student WHERE Exists(SELECT 1 FROM payment WHERE payment.student_id = student.student_id) And student_id = ?"
cmdDelete.Parameters.AddWithValue("sid", txtsid.Text)

---

你想要的一切了解SQL注入（但不敢问）|特洛伊亨特 [ ^ ]

如何在没有技术术语的情况下解释SQL注入？ |信息安全堆栈交换 [ ^ ]

查询参数化备忘单| OWASP [ ^ ]

---

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

永远不要像通过连接从用户输入获得的字符串那样构造SQL查询。这使您的代码对SQL注入攻击敞开大门。更好地使用参数化查询。这个主题每天在CP上讨论，所以你不会很难找到更多关于它的信息（例如在qa中搜索sql注入）。



此外，关于您的SQL查询，要删除表中不需要指定列名的行， DELETE 语句不是 SELECT 声明。

另外，要删除表S1中的一行，您也不需要任何加入S2。

所以，这一切都会诉诸到一个看起来像的代码块：

Never, ever, construct an SQL query like you do by concatenating string obtained from user inputs. This leaves your code wide open to SQL injection attacks. Better use parameterized queries instead. This subject is discussed daily here on CP so you will not have a hard time finding some more informations about it (search sql injection in qa, for example).

Moreover, about your SQL query, to delete a row in a table you do not need to specify a column name, a DELETE statement is not a SELECT statement.
Plus, to delete a row in table S1, you do not need any join to S2 either.
So, all this would resort to a block of code which would look like:

cmdDelete.CommandText = "Delete FROM student where student_id=@id;"
cmdDelete.Paramaters.AddWithValue("@id", txtsid.Text)
...

如果 student_id 列是整数类型，您可能需要写：

If student_id column is of integer type, you may have to write:

cmdDelete.CommandText = "Delete FROM student where student_id=@id;"
Dim id as Integer
If (integer.TryParse(txtsid.Text, out id) Then
   cmdDelete.Paramaters.AddWithValue("@id", id)
Else
   '' Error: provided id was not a valid integer representation
End If

相反。

instead.

据我所知，MS Access不支持 DELETE + JOIN 。您必须将sql命令更改为以下形式：

As far as i know, MS Access does not support DELETE + JOIN. You have to change your sql command to below form:

DELETE Table1.*
FROM Table1
WHERE EXISTS( Select 1 From Table2 Where Table2.Name = Table1.Name )

但是，当我看到你的时候再次查询，我认为你只需要：

But, when i did look on you query again, i think you need only:

DELETE
FROM student
WHERE student_id=?;

这篇关于'from子句中的语法错误。' VB.NET - 访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！