嗨，我是一名学生，我想知道如何纠正我的插入查询错误 [英] Hi I am a student, I want know how to correct my insert query error

问题描述

INSERT INTO语句中的语法错误



我尝试过：

Syntax error in INSERT INTO statement

What I have tried:

Protected Sub btnAdd_Click(sender As Object, e As EventArgs)
       Dim connectionstring As String

       Dim connstring As String = ("PROVIDER=Microsoft.Jet.OLEDB.4.0;Data Source = C:\Users\Mthobeli Gxavu\Documents\Customer2.mdb")


       connectionstring = "insert into CustomerDetais,CustomerHist(CustomerNumber,CustomerName,Email,PhoneNumber,AddressNumber,Surburb,City,PostalCode,PastPurchases,CurrentOrderAmount,DatePurchase,CustomerHist.CustomerNumber) values(" & txtCustNum.Text & ",'" & txtCustName.Text & "','" & txtEmail.Text & "','" & txtNumber.Text & "','" & txtNumberZone.Text & "','" & txtSurburb.Text & "','" & txtCity.Text & "','" & txtPostalCode.Text & "','" & txtPastPurchases.Text & "'," & txtOrderAmount.Text & ",'" & txtDate.Text & "'," & txtCustNum.Text & ")"
       Try

           Using connection As New OleDbConnection(connstring)

               connection.Open()

               Dim command As New OleDb.OleDbCommand(connectionstring, connection)


               command.Parameters.AddWithValue("@CustomerNumber", OleDbType.Integer).Value = txtCustNum.Text()
               command.Parameters.AddWithValue("@CustomerName", OleDbType.VarChar).Value = txtCustName.Text()
               command.Parameters.AddWithValue("@Email", OleDbType.VarChar).Value = txtEmail.Text()
               command.Parameters.AddWithValue("@PhoneNumber", OleDbType.VarChar).Value = txtNumber.Text()
               command.Parameters.AddWithValue("@AddressNumber", OleDbType.VarChar).Value = txtNumberZone.Text()
               command.Parameters.AddWithValue("@Surburb", OleDbType.VarChar).Value = txtSurburb.Text()
               command.Parameters.AddWithValue("@City", OleDbType.VarChar).Value = txtCity.Text()
               command.Parameters.AddWithValue("@PostalCode", OleDbType.VarChar).Value = txtPostalCode.Text()
               command.Parameters.AddWithValue("@PastPurchases", OleDbType.VarChar).Value = txtPastPurchases.Text()
               command.Parameters.AddWithValue("@CurrentOrderAmount", OleDbType.Double).Value = txtOrderAmount.Text()
               command.Parameters.AddWithValue("@DatePurchase", OleDbType.VarChar).Value = txtDate.Text()
               command.ExecuteNonQuery()

               connection.Close()
           End Using

       Catch ex As Exception
           MsgBox("info not saved" & ex.ToString)

       End Try
   End Sub

推荐答案

参考我的以前的解决方案，并对您的代码进行更改

insert statement vb.net，SQL参数化查询 [ ^ ]

refer my pervious solution and make the changes to your code
insert statement vb.net, SQL parameterised query [^]

永远不要通过连接用户输入来构建SQL查询，它被命名为SQL注入，它对您的数据库很容易并且容易出错。

名称中的单引号和程序崩溃。如果像Brian O'Conner这样的用户输入可能会使您的应用程序崩溃，那么这是一个SQL注入漏洞。

SQL注入 - 维基百科 [ ^ ]

SQL注入 [ ^ ]

Never build an SQL query by concatenating with user inputs, it is named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability.
SQL injection - Wikipedia[^]
SQL Injection[^]

这篇关于嗨，我是一名学生，我想知道如何纠正我的插入查询错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！