SQL Server 2012 - ASP.NET - VB.NET - 插入數據到數據庫

Question

我試圖插入數據到數據庫表使用SQL語句與VB.NET。

這是我的代碼：

Registration.aspx：

Imports dbConnect 
Imports System.Data.SqlClient 


Partial Class Registration 
    Inherits System.Web.UI.Page 

    Protected Sub Page_Load(sender As Object, e As EventArgs) Handles Me.Load 

    End Sub 

    Protected Sub btnRegister_Click(sender As Object, e As EventArgs) Handles btnRegister.Click 

     register() 


    End Sub 


    Public Sub register() 



     Dim Username As String = txtUsername.ToString 
     Dim Surname As String = txtSurname.ToString 
     Dim Password As String = txtPassword.ToString 
     Dim Name As String = txtName.ToString 
     Dim Address1 As String = txtAddress1.ToString 
     Dim Address2 As String = txtAddress2.ToString 
     Dim City As String = txtCity.ToString 
     Dim Email As String = txtEmail.ToString 
     Dim Country As String = drpCountry.ToString 
     Dim DOB As Date = calDOB.SelectedDate 
     Dim Occupation As String = txtOccupation.ToString 
     Dim WorkLocation As String = txtWorkLocation.ToString 
     Dim Age As Integer = "20" 

     Dim ProjectManager As String = "test" 
     Dim TeamLeader As String = "test" 
     Dim TeamLeaderID As Integer = 1 
     Dim ProjectManagerID As Integer = 1 

     Dim RegistrationDate As Date = Today 
     Dim ContractType As String = "test" 
     Dim ContractDuration As Integer = 6 
     Dim Department As String = "test" 
     Dim conn As New SqlConnection("Data Source=BRIAN-PC\SQLEXPRESS;Initial Catalog=master_db;Integrated Security=True") 
     Dim registerSQL As SqlCommand 
     Dim sqlComm As String 

     sqlComm = "INSERT INTO users(Username, Password, Name, Surname, Address1, Address2, City, Country, date_of_birth, age, Occupation, department, work_location, project_manager,team_leader, team_leader_id, project_manager_id, date_registration, contract_type, contract_duration) VALUES('" + Username + "','" + Password + "','" + Name + "','" + Surname + "','" + Address1 + "','" + Address2 + "','" + City + "','" + Country + "','" + DOB + "','" + Age + "','" + Occupation + "','" + Department + "','" + WorkLocation + "','" + ProjectManager + "','" + TeamLeader + "','" + TeamLeaderID + "','" + ProjectManager + "','" + RegistrationDate + "','" + ContractType + "','" + ContractDuration + "')" 

     conn.Open() 

     registerSQL = New SqlCommand(sqlComm, conn) 

     registerSQL.ExecuteNonQuery() 
     conn.Close() 


    End Sub 



End Class 

這是我的數據庫 '用戶' 表：

我收到此錯誤信息：

Error 1 Operator '+' is not defined for types 'Double' and 'Date'. C:\Users\Brian\Documents\Visual Studio 2012\WebSites\WebSite1\Registration.aspx.vb 51 19 WebSite1(1) 

誰能告訴我發生了什麼事？

Answer 1

正如勞埃德指出的，parameterize your queries。例如。 （縮短了可讀性）

sqlComm = "INSERT INTO users(Username, Password, Name) VALUES(@Username, @Password, @Name)" 
registerSQL = New SqlCommand(sqlComm, conn) 
registerSQL.Parameters.AddWithValue("@Username", Username) 
registerSQL.Parameters.AddWithValue("@Password", Password) 
registerSQL.Parameters.AddWithValue("@Name", Name) 

但是，爲了回答你的問題，使用&代替+來連接字符串。

Answer 2

只給你一個起點

sqlComm = "INSERT INTO users(Username, Password, Name, Surname, Address1, Address2, " + 
      "City, Country, date_of_birth, age, Occupation, department, work_location, " + 
      "project_manager,team_leader, team_leader_id, project_manager_id, " + 
      "date_registration, contract_type, contract_duration) " + 
      "VALUES(@p1, @p2,@p3,@p4,@p5,@p6,@p7,@p8,@p9,@p10,@p11,@p12,@p13,@p14,@p15," + 
      "@p16,@p17,@p18,@p19,@p20)" 
    conn.Open() 
    registerSQL = New SqlCommand(sqlComm, conn) 
    registerSQL.Parameters.AddWithValue("@p1", Username) 
    ..... 
    registerSQL.ExecuteNonQuery() 

而當值傳遞給AddWithValue方法不是一個字符串，嘗試轉換由數據庫字段的預期正確的數據類型。

registerSQL.Parameters.AddWithValue("@p9", Convert.ToDateTime(DOB)) 

這樣，你就不必擔心解析字符串用雙引號或字符串日期的自動轉換，而且，你不必與SQL注入攻擊