在错误中需要帮助 [英] Need help in the error
问题描述
大家好
请查看以下详细信息并帮我解决问题
代码:
Hi all
Please find the below details and help me to solve the prob
code:
Dim con1 As New SqlConnection("Data Source=KITT7-PC;Initial Catalog=project;User ID=sa;Password=1234")
con1.Open()
Dim cmd As New SqlCommand("insert into CompanyCreation values('" & txtCompanyName.Text & "','" & txtCompanyCode.Text & "','" & txtCompanyAlias.Text & "','" & txtAddress.Text & "','" & cmbCity.Text & "','" & txtPincode.Text & "','" & cmbState.Text & "','" & txtCountry.Text & "','" & txtPh1.Text & "','" & txtPh2.Text & "','" & txtPh3.Text & "','" & txtFax.Text & "','" & txtMobile.Text & "','" & txtEmail.Text & "','" & txtWebsite.Text & "','" & txtServiceTAX.Text & "','" & txtVATNo.Text & "','" & cmbTaxing.Text & "','" & cmbFinYear.Text & "','" & txtCurrency.Text & "','" & txtITPan.Text & "','" & cmbAccountingSystem.Text & "','" & txtTIN.Text & "','" & txtCST.Text & "','" & txtWardno.Text & "','" & txtAdminUser.Text & "','" & txtAdminPass.Text & "','" & txtConfirmPass.Text & "','" & txtcodex.Text & "','" & txtPass.Text & "','" & txtConfirmPass.Text & "')", con1)
cmd.ExecuteNonQuery()
Catch ex As Exception
End Try
数据库:
database:
ID int
CompanyCode varchar(50)
CompanyName varchar(25)
Alias varchar(100)
AgentType varchar(100)
Address varchar(25)
City varchar(25)
Pincode int
State varchar(100)
Country varchar(100)
Ph1 numeric(10, 0)
Ph2 numeric(10, 0)
Ph3 numeric(10, 0)
Fax numeric(10, 0)
Mobile numeric(10, 0)
Email nvarchar(30)
Website nvarchar(30)
Taxing varchar(30)
ServiceTax decimal(10, 2)
VATNo int
FinancialYearStart int
IndianCurrencySymbol varchar(25)
ITPan varchar(25)
AccountingSystem varchar(15)
Account varchar(25)
TIN numeric(10, 0)
CST varchar(25)
WardNo int
AdminUser varchar(30)
AdminPass varchar(30)
LocatonofDataSave varchar(50)
Codex int
我收到错误说
将数据类型varchar转换为数字时出错。
请告诉我哪里是问题。
I am getting the error saying
Error converting data type varchar to numeric.
Please tell me where is the problem.
推荐答案
真糟糕!
在你知道什么是好之前,你需要做很多事情。发生在这里:
1)使用参数化查询。正如AlluvialDeposit所说,你对代码所代表的SQL注入攻击持开放态度。参数化查询也会使你的代码变得更加可读。
2)命名你要插入的字段。
What a mess!
There are a number of things you need to do before you will get a good idea what is happening here:
1) Use Parametrized queries. As AlluvialDeposit says, you are wide open to SQL injection attacks as your code stands. Parametrized queries will also make you code much, much more readable.
2) Name the fields you are inserting into.
INSERT INTO CompanyCreation (ID, CompanyCode, CompanyName, ...) VALUES (...
这样,SQL确切地知道要插入哪一列的值。
它也会在将值传递给SQL之前将值转换为适当的数据类型是一个非常好的主意 - 如果用户犯了错误,您可以发出特定的错误消息而不是您的应用程序因异常而失败,因为SQL不能转换一个值。
这样做可能会解决您的问题,同时提高可用性,可读性,可靠性和可维护性。
That way, SQL knows exactly which value you want to insert into which column.
It would also be a very good idea to convert the values to an appropriate datatype before passing them through to SQL - that way if the user makes a mistake, you can issue a specific error message instead of your app failing with an exception because SQL can''t convert a value either.
Doing those will probably get rid of your problem as well as improving usability, readability, reliability and maintainability.
错误意味着您正在尝试将字符串值插入数字列。尝试wri在执行之前先查看生成的sql-query以查看是否可以发现错误。
The error means that you are trying to insert a string value into a number column. Try to write out your generated sql-query before you execute it to see if you can spot the error.
Response.Write(cmd.CommandText);
Response.End();
这篇关于在错误中需要帮助的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!