我在查询表达式中的字符串中收到错误“语法错误”-55" [英] I am getting an error "syntax error in string in query expression "-55"
问题描述
Imports System.Data.OleDb
Imports System.Data
Public Class WithdrawandDeposit2
Dim adapt As New OleDbDataAdapter
Dim dset As New DataSet
Dim bal, num As String
Dim total As Double
Function draw() As Double
cn = New OleDb.OleDbConnection
With cn
.ConnectionString = "Provider=Microsoft.Ace.OLEDB.12.0;Data Source=" & Application.StartupPath & "\Maccount.accdb"
.Open()
End With
Dim dt As New DataSet("NewAccount")
Dim rs As New OleDb.OleDbDataAdapter(" Select * from NewAccount where Saccountno = '" + TextBox1.Text + "'", cn)
rs.Fill(dt)
If dt.Tables(0).Rows.Count > 0 Then
bal = dt.Tables(0).Rows(0)(6).ToString()
num = dt.Tables(0).Rows(0)(0).ToString()
TextBox2.Text = dt.Tables(0).Rows(0)(2).ToString()
End If
Return 0
End Function
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
Dim wb = Val(WithBox.Text)
Dim bal As New Double
' If Val(WithBox.Text) > bal Then
' LowerBalance.Show()
'ElseIf Me.WithBox.Text = "" Then
' Errorform1.Show()
'Else
total = CDbl(CInt(bal - Val(WithBox.Text)))
Dim dbcommand As String = "update NewAccount set Samount = '" & total & ""
adapt = New OleDbDataAdapter(dbcommand, cn)
dset = New DataSet()
adapt.Fill(dset)
'rs.Dispose()
'cn.Close()
Call draw()
' End If
End Sub
Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click
Me.Close()
Transactions.Show()
End Sub
Private Sub WithdrawandDeposit2_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
Call draw()
TextBox2.Enabled = False
Call connection()
End Sub
End Class
我尝试了什么:
i我在adapt.fill(dset)语句中收到错误我试图减少该值在数据库中连续。能帮我解决这个问题吗
What I have tried:
i am getting an error in "adapt.fill(dset)" statement I was trying to decrease the value in a row in database. Can you please help me to resolve this
推荐答案
首先,请停止这样做!不要连接字符串以构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。
其次,您尝试从SQL UPDATE命令填充数据集,该命令不会返回任何行...
尝试直接尝试创建SqlCommand
对象,并在其上使用ExecuteNonQuery
。
但严重的是:首先修复你的连接,或者第一个感觉幽默的人只需输入你的文本框即可删除你的数据库......
First off, stop do it like that! Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
Second, you are trying to fill a dataset from an SQL UPDATE command, which doesn't return any rows...
Try creating anSqlCommand
object directly instead, and useExecuteNonQuery
on it.
But seriously: fix your concatenation first, or the first person who feels humorous will delete your DB just by typing in your text boxes...
问题出在
Dim dbcommand As String = "update NewAccount set Samount = '" & total & ""
你有一个不应该在那里的单引号。
你不应该通过连接这样的字符串来创建查询 - 使用参数化查询(查询参数化备忘单 - OWASP [ ^ ])。这样你根本不必担心单引号,它可以保护你的数据库免受SQL注入。
我真的希望额外的单引号是输入错误并不意味着你在字符字段中存储total - 总是使用适当的列类型。
You have a single quote in there that should not be there.
You should not create queries by concatenating strings like this - use Parameterised queries (Query Parameterization Cheat Sheet - OWASP[^]). That way you don't have to worry about single quotes at all and it protects your database from SQL Injection.
I really hope that extra single quote was a typing error and it doesn't mean that you are storing "total" in a character field - always use the appropriate column type.
这篇关于我在查询表达式中的字符串中收到错误“语法错误”-55"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!