在错误中需要帮助 [英] Need help in the error

问题描述

大家好



请查看以下详细信息并帮我解决问题



代码：

Hi all

Please find the below details and help me to solve the prob

code:

Dim con1 As New SqlConnection("Data Source=KITT7-PC;Initial Catalog=project;User ID=sa;Password=1234")

       con1.Open()
       Dim cmd As New SqlCommand("insert into CompanyCreation values('" & txtCompanyName.Text & "','" & txtCompanyCode.Text & "','" & txtCompanyAlias.Text & "','" & txtAddress.Text & "','" & cmbCity.Text & "','" & txtPincode.Text & "','" & cmbState.Text & "','" & txtCountry.Text & "','" & txtPh1.Text & "','" & txtPh2.Text & "','" & txtPh3.Text & "','" & txtFax.Text & "','" & txtMobile.Text & "','" & txtEmail.Text & "','" & txtWebsite.Text & "','" & txtServiceTAX.Text & "','" & txtVATNo.Text & "','" & cmbTaxing.Text & "','" & cmbFinYear.Text & "','" & txtCurrency.Text & "','" & txtITPan.Text & "','" & cmbAccountingSystem.Text & "','" & txtTIN.Text & "','" & txtCST.Text & "','" & txtWardno.Text & "','" & txtAdminUser.Text & "','" & txtAdminPass.Text & "','" & txtConfirmPass.Text & "','" & txtcodex.Text & "','" & txtPass.Text & "','" & txtConfirmPass.Text & "')", con1)
       cmd.ExecuteNonQuery()
       Catch ex As Exception

       End Try

数据库：

database:

ID	int	
CompanyCode	varchar(50)	
CompanyName	varchar(25)	
Alias	varchar(100)	
AgentType	varchar(100)	
Address	varchar(25)	
City	varchar(25)	
Pincode	int	
State	varchar(100)	
Country	varchar(100)	
Ph1	numeric(10, 0)	
Ph2	numeric(10, 0)	
Ph3	numeric(10, 0)	
Fax	numeric(10, 0)	
Mobile	numeric(10, 0)	
Email	nvarchar(30)	
Website	nvarchar(30)	
Taxing	varchar(30)	
ServiceTax	decimal(10, 2)	
VATNo	int	
FinancialYearStart	int	
IndianCurrencySymbol	varchar(25)	
ITPan	varchar(25)	
AccountingSystem	varchar(15)	
Account	varchar(25)	
TIN	numeric(10, 0)	
CST	varchar(25)	
WardNo	int	
AdminUser	varchar(30)	
AdminPass	varchar(30)	
LocatonofDataSave	varchar(50)	
Codex	int	

我收到错误说

将数据类型varchar转换为数字时出错。



请告诉我哪里是问题。

I am getting the error saying
Error converting data type varchar to numeric.

Please tell me where is the problem.

推荐答案

真糟糕！

在你知道什么是好之前，你需要做很多事情。发生在这里：

1）使用参数化查询。正如AlluvialDeposit所说，你对代码所代表的SQL注入攻击持开放态度。参数化查询也会使你的代码变得更加可读。

2）命名你要插入的字段。

What a mess!
There are a number of things you need to do before you will get a good idea what is happening here:
1) Use Parametrized queries. As AlluvialDeposit says, you are wide open to SQL injection attacks as your code stands. Parametrized queries will also make you code much, much more readable.
2) Name the fields you are inserting into.

INSERT INTO CompanyCreation (ID, CompanyCode, CompanyName, ...) VALUES (...

这样，SQL确切地知道要插入哪一列的值。



它也会在将值传递给SQL之前将值转换为适当的数据类型是一个非常好的主意 - 如果用户犯了错误，您可以发出特定的错误消息而不是您的应用程序因异常而失败，因为SQL不能转换一个值。



这样做可能会解决您的问题，同时提高可用性，可读性，可靠性和可维护性。

That way, SQL knows exactly which value you want to insert into which column.

It would also be a very good idea to convert the values to an appropriate datatype before passing them through to SQL - that way if the user makes a mistake, you can issue a specific error message instead of your app failing with an exception because SQL can''t convert a value either.

Doing those will probably get rid of your problem as well as improving usability, readability, reliability and maintainability.

错误意味着您正在尝试将字符串值插入数字列。尝试wri在执行之前先查看生成的sql-query以查看是否可以发现错误。

The error means that you are trying to insert a string value into a number column. Try to write out your generated sql-query before you execute it to see if you can spot the error.

Response.Write(cmd.CommandText);
Response.End();

这篇关于在错误中需要帮助的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！