我在vb.net中的条件表达式中获取数据类型不匹配 [英] i am getting Data type mismatch in criteria expression in vb.net

问题描述

我正在使用visual studio 2008 nd ms access ...我在插入命令中收到错误我也修改了数据库表但是我仍然得到相同的错误.plz帮助我..

Private Sub btninsert_Click（ByVal sender As System.Object，ByVal e As System.EventArgs）处理btninsert.Click

con.Open（）

cmd =新OleDbCommand （插入b1值（&TextBox1.Text&，'&TextBox2.Text&'，'&TextBox3.Text&'，'&TextBox4.Text&'，&TextBox5.Text &，'&TextBox6.Text&'，&TextBox7.Text&，&TextBox8.Text&，&TextBox9.Text&'，&TextBox10.Text&，&TextBox11 .Text&，'&TextBox12.Text&'，&TextBox13.Text&，&TextBox14.Text&，&TextBox15.Text&，&TextBox16.Text&，&TextBox17 .Text&），con）

cmd.ExecuteNonQuery（）

MsgBox（INSERTED）

con.Close（）

I am using visual studio 2008 nd ms access...i am getting the error in my insert command i have modified the database table also but still i am getting the same error.plz help me..
Private Sub btninsert_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btninsert.Click
con.Open()
cmd = New OleDbCommand("insert into b1 values( " & TextBox1.Text & " , ' " & TextBox2.Text & " ' , ' " & TextBox3.Text & " ' , ' " & TextBox4.Text & " ' , " & TextBox5.Text & " , ' " & TextBox6.Text & " ' , " & TextBox7.Text & " , " & TextBox8.Text & " , ' " & TextBox9.Text & " ' , " & TextBox10.Text & " , " & TextBox11.Text & " , ' " & TextBox12.Text & " ' , " & TextBox13.Text & " , " & TextBox14.Text & " , " & TextBox15.Text & " , " & TextBox16.Text & " , " & TextBox17.Text & " )", con)
cmd.ExecuteNonQuery()
MsgBox("INSERTED")
con.Close()

解决方案

从一开始你的方法就错了。您永远不应该通过连接从UI获取的字符串来创建查询。相反，您需要使用参数化语句。请参阅： http://msdn.microsoft.com/en-us/library/ff648339.aspx [ ^ ]。



如果你这样做，你的应用程序完全容易受到众所周知的漏洞的攻击： SQL注入。用户可以在UI中编写任何内容，包括一些SQL片段。你明白了吗？具体方法如下： http://xkcd.com/327 [ ^ ]。



请查看我过去的答案：

EROR IN com.ExecuteNonQuery（）; [ ^ ]，

名称未显示在名称中？ [ ^ ]。

-SA

Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements. Please see: http://msdn.microsoft.com/en-us/library/ff648339.aspx[^].

If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327[^].

Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].

—SA

这篇关于我在vb.net中的条件表达式中获取数据类型不匹配的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！