SQL命令不會插入到數據庫

Question

我試圖使用VB按鈕將數據插入到數據庫中，但它不斷提出我有適用於異常的錯誤消息。

任何人都可以幫助我爲什麼這不更新數據庫？

Protected Sub Button1_Click(sender As Object, e As System.EventArgs) Handles Button1.Click 

    Dim connetionString As String 
    Dim sqlCnn As SqlConnection 
    Dim sql As String 
    Dim adapter As New SqlDataAdapter 
    Dim Customer As String = TextBox1.Text 
    Dim Product As String = TextBox2.Text 
    Dim Location As String = TextBox3.Text 
    Dim Details As String = TextBox4.Text 
    Dim Owners As String = DropDownList1.Text 
    Dim Urgency As String = DropDownList2.Text 


    connetionString = "Data Source=ZUK55APP02;Initial Catalog=BugFixPortal;User ID=SLC***;Password=rep***" 
    sql = "INSERT INTO Requests (Owner, Customer, Product, Location, Urgency, Details) VALUES ('" & Owners & ", " & Customer & ", " & Product & ", " & Location & ", " & Urgency & ", " & Details & "')" 
    sqlCnn = New SqlConnection(connetionString) 

    Try 
     sqlCnn.Open() 
     adapter.UpdateCommand = sqlCnn.CreateCommand 
     adapter.UpdateCommand.CommandText = sql 
     adapter.UpdateCommand.ExecuteNonQuery() 
     sqlCnn.Close() 

    Catch ex As Exception 
     MsgBox("Unable to update Database with Request - Please speak to Supervisor!") 

    End Try 

End Sub 

Answer 1

您錯誤地引用了您的值。

此字符串圍繞所有值打開和關閉單引號，這是不正確的。 。

VALUES ('" & Owners & ", " & Customer & ", " & Product & ", " & Location & ", " & Urgency & ", " & Details & "')" 

相反，把周圍的字符數據，單引號例如，如果Product是VARCHAR，它應該是這樣的：

VALUES (" & Owners & ", " & Customer & ", '" & Product & "', " & Location & ", " & Urgency & ", " & Details & ")" 

的真正的問題，不過，是你應該使用參數化查詢。此代碼很容易出現SQL注入攻擊。

Answer 2

更改此;

MsgBox("Unable to update Database with Request - Please speak to Supervisor!") 

像這樣的東西;

MsgBox("Unable to update Database with Request - Please speak to Supervisor!" & ex.Message) 

它會給你更多的細節例外的，但是快速瀏覽，我可以看到一個問題，你正試圖插入值是字符串，您已經在一組的封閉所有的值「字符，而不是封閉在一對每個字符串參數」值，即

sql = "INSERT INTO Requests (Owner, Customer, Product, Location, Urgency, Details) VALUES ('" & Owners & "', '" & Customer & "', '" & Product & "',' " & Location & "', '" & Urgency & "', '" & Details & "')" 

Answer 3

你真應該看看你的參數化查詢，你對SQL注入攻擊敞開的。請參閱HERE

就您的代碼本身而言，您的SQL語法錯誤，因爲您需要在每個值周圍放置撇號。試試這個：

sql = "INSERT INTO Requests (Owner, Customer, Product, Location, Urgency, Details) 
VALUES ('" & Owners & "', '" & Customer & "', '" & Product & 
    "', '" & Location & "', '" & Urgency & "', '" & Details & "')" 

下面是使用參數

sql = "INSERT INTO Requests (Owner, Customer, Product, Location, Urgency, Details) 
VALUES ('@Owners', '@Customer', '@Product', '@Location', '@Urgency', '@Details')" 

然後添加參數，像這樣的例子：

command.Parameters.AddWithValue("@Owners", Owners) 
command.Parameters.AddWithValue("@Customer", Customer) 
command.Parameters.AddWithValue("@Product", Product) 
command.Parameters.AddWithValue("@Location", Location) 
command.Parameters.AddWithValue("@Urgency", Urgency) 
command.Parameters.AddWithValue("@Details", Details) 

Answer 4

我不會走這條路爲你的代碼是針對SQL注入弱

您應該改用參數。喜歡的東西下面

c.Open(); 
string insertString = @"insert into YourTable(name, street, city,....) values(@par1, @par2, @parN,....)" 
SqlCommand cmd = new SqlCeCommand(insertString, c); 
cmd.Parameters.Add("@par1", SqlDbType.VarChar).Value = "MyName"; 
//etc 
cmd.ExecuteNonQuery(); 
c.Close(); 

Answer 5

我想你想在

Try 
    sqlCnn.Open() 
    adapter.UpdateCommand = sqlCnn.CreateCommand //(adapter.InsertCommand) 
    adapter.UpdateCommand.CommandText = sql //(adapter.InsertCommand) 
    adapter.UpdateCommand.ExecuteNonQuery() //(adapter.InsertCommand) 
    sqlCnn.Close() 

Catch ex As Exception 
    MsgBox("Unable to update Database with Request - Please speak to Supervisor!") 

End Try 

使用adapter.InsertCommand代替adapter.UpdateCommand

，並用參數化的SQL查詢同意

看到http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqldataadapter.aspx更多的相關信息