我在我的vb項目上有一個保存命令。問題是它不會用「'」或圓括號保存文本。我認爲這是與SQL命令。這裏是我的儲蓄以及更新將括號或引號保存到vb.net的sql中
節省
Dim myAdapter As New MySqlDataAdapter
Dim myDatatable As New DataTable
Dim command As New MySqlCommand
Dim add As String
add = "INSERT INTO tracker.recordtracker (Action_Taken,Marginal_Note,Remarks,Type_of_Document,Referred_Date,Items,Received_From,Received_Date,Referred_To,recdate,refdate)values('" + acttaken.Text + "','" + margnote.Text + "','" + remarks.Text + "','" + doctype.Text + "','" + rfrldatelbl.Text + "','" + itemtbx.Text + "','" + rfromtbx.Text + "','" + rcvdate.Text + "','" + reftotbx.Text + "' ,'" + rdate.Text + "',@refdate)"
command = New MySqlCommand(add, connection)
refdate.CustomFormat = "yyyy-MM-dd"
myAdapter.SelectCommand = command
myAdapter.Fill(myDatatable)
MsgBox("Data has been successfully added.")
clearfield()
loaddatabase()
connection.Close()
connection.Dispose()
Catch ex As Exception
MsgBox(ex.Message)
End Try
的更新代碼
Try
connection.Open()
rcvdate.Text = rdate.Text
If refdate.Checked = False Then
rfrldatelbl.Text = "____-__-__"
Else
refdate.CustomFormat = "yyyy-MM-dd"
rfrldatelbl.Text = refdate.Text + " " + TimeOfDay
End If
Dim query As String
query = "update tracker.recordtracker set Action_Taken='" & acttaken.Text & "', Marginal_Note='" & margnote.Text & "', Remarks='" & remarks.Text & "',Type_of_Document='" & doctype.Text & "', Items = '" & itemtbx.Text & "', Referred_To='" & reftotbx.Text & "', Referred_Date='" & rfrldatelbl.Text & "',recdate='" & rdate.Text & "',refdate='" & refdate.Text & "' where id = '" & ID.Text & "'"
utos = New MySqlCommand(query, connection)
reader = utos.ExecuteReader
MsgBox("Data has been changed.")
connection.Close()
loaddatabase()
connection.Close()
connection.Dispose()
Catch ex As Exception
MsgBox(ex.Message)
End Try
。說的是真的 - 請考慮使用參數化查詢。如果你只是手動轉義引號,你將面臨很大的SQL注入風險... –
雖然什麼@JeremyC SQL字符串使用引號 –
非常真實,我應該在我的評論中加入@MattFellows,mrkdenz讓我們來說說ID.text中的某人:1''; DROP TABLE tracker.recordtracker;它可能會導致你的表被刪除後更新 –