无法从vb.net wpf表单将记录插入sql server [英] Unable to insert record into sql server from vb.net wpf form
本文介绍了无法从vb.net wpf表单将记录插入sql server的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
Dim cn As New SqlConnection
Dim cmd As New SqlCommand
Dim str As String
cn.ConnectionString = "Data Source=PARTH-PC;Initial Catalog=db_hba;Integrated Security=True"
Dim ca As Integer
Try
cn.Open()
str = "insert into EmMaster(EmMaster_EmpCode,EmMaster_EmpName,EmMaster_EmDesig,"
str += "EmMaster_EmpPort,EmMaster_EmpDivi,EmMaster_SubDivi,EmMaster_EmplDob,EmMaster_EmplDoj,EmMaster_EmplDor,"
str += "EmMaster_Service,EmMaster_EmplMob,EmMaster_EmEmail,EmMaster_PaScale) values ('" + txtEmpCode.Text + "','" + txtName.Text + "','" + txtDesignation.Text + "','" + txtPort.Text + "','" + txtDivision.Text + "','" + txtSubDivision.Text + "','" + txtDOB.SelectedDate.ToString + "','" + txtDOJ.SelectedDate.ToString + "','" + txtDOR.SelectedDate.ToString + "','" + txtTotalService.Text + "','" + txtMobile.Text + "','" + txtEmail.Text + "','" + txtPayScale.Text + "')"
cmd = New SqlCommand(str, cn)
ca = cmd.ExecuteNonQuery
MessageBox.Show(ca)
Catch ex As Exception
MessageBox.Show("could not insert record")
cn.Close()
End Try
推荐答案
不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。
这可能会解决您的问题。
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
The chances are that that will fix your problem.
str = "insert into EmMaster(EmMaster_EmpCode, EmMaster_EmpName, EmMaster_EmDesig, EmMaster_EmpPort, EmMaster_EmpDivi, EmMaster_SubDivi, EmMaster_EmplDob, EmMaster_EmplDoj, EmMaster_EmplDor, EmMaster_Service, EmMaster_EmplMob, EmMaster_EmEmail, EmMaster_PaScale) values (@COD, @NAM, @DES, @PRT, @DIV, @SDV, @DOB, @DOJ, @DOR, @SER, @MOB, @EML, @PAS)"
cmd = New SqlCommand(str, cn)
cmd.Parameters.AddWithValue("@COD", txtEmpCode.Text)
cmd.Parameters.AddWithValue("@NAM", txtName.Text)
cmd.Parameters.AddWithValue("@DES", txtDesignation.Text)
cmd.Parameters.AddWithValue("@PRT", txtPort.Text)
cmd.Parameters.AddWithValue("@DIV", txtDivision.Text)
cmd.Parameters.AddWithValue("@SDV", txtSubDivision.Text)
cmd.Parameters.AddWithValue("@DOB", txtDOB.SelectedDate)
cmd.Parameters.AddWithValue("@DOJ", txtDOJ.SelectedDate)
cmd.Parameters.AddWithValue("@DOR", txtDOR.SelectedDate)
cmd.Parameters.AddWithValue("@SER", txtTotalService.Text)
cmd.Parameters.AddWithValue("@MOB", txtMobile.Text)
cmd.Parameters.AddWithValue("@EML", txtEmail.Text)
cmd.Parameters.AddWithValue("@PAS", txtPayScale.Text)
但是......帮自己一个忙,并在你的所有列上转储EmMaster_Emp前缀 - 你不需要它们,它只会使一切更难阅读。并且不要将所有内容称为txt ... - 尤其是当它不是TextBox时!这只是令人困惑。
But...do yourself a favour and dump the "EmMaster_Emp" prefix on all your columns - you don't need them and it just makes everything harder to read. And don't call everything "txt..." - particularly when it isn't a TextBox! That's just confusing.
这篇关于无法从vb.net wpf表单将记录插入sql server的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
