VB.net更新查詢沒有給出錯誤，也沒有更新我的sql數據庫

Question

Dim conntps As MySqlConnection 
Dim myconnstringtps As String 
conntps = New MySqlConnection() 
Dim mycommand As New MySqlCommand 
Dim Updatepayments As String = "update payments set payments.payorname='" & _ 
    epayorname.Text & "', payments.cardnumber='" & eccnumber.Text & _ 
    "', payments.bankname='" & ebankname.Text & "', payments.checkaccountnumber='" & _ 
    eaccountnumber.Text & "', payments.checkroutingnumber='" & _ 
    erouting.Text & "', payments.cardexpirationdate='" & eexpmonth.Text & "/" & _ 
    eexpireyear.Text & "', payments.cardexpirationmonth='" & _ 
    eexpmonth.Text & "', payments.cardexpirationyear='" & eexpireyear.Text & _ 
    "', payments.cardaddress='" & eaddy.Text & "', payments.cardzipcode='" & _ 
    ezip.Text & "', payments.threedigitnumber='" & ecvv.Text & _ 
    "' where payments.filenumber='" & TextBox1.Text & "' and paymentstatus='PENDING';" 
myconnstringtps = "server=localhost; user id=root; " & _ 
        "password=1C0cac0la; database=collectionsmax" 
Try 
    conntps.Open() 
    Try 
     mycommand.Connection = conntps 
     mycommand.CommandText = Updatepayments 
     mycommand.ExecuteNonQuery() 
     conntps.Close() 
     mycommand.Dispose() 
    Catch myerror As MySqlException 
     MsgBox("error connecting:" & myerror.Message) 
    End Try 
Catch myerror As MySqlException 
    MsgBox("error connecting:" & myerror.Message) 
Finally 
    If conntps.State <> ConnectionState.Closed Then conntps.Close() 
    MsgBox("Successfully Changed") 
End Try 

我在嘗試運行代碼時沒有收到任何錯誤或異常。

我試圖將生成的更新查詢輸出到文本框，並通過mysql管理工作室運行代碼，並且它完美地工作。所以我很確定它不是一個與實際查詢被髮送到服務器的問題。

我已經使用幾乎完全相同的代碼來插入沒有問題的語句。

當代碼通過我的VB.net應用程序使用上述代碼運行時，它不會更新數據庫。

Answer 1

你不設置連接字符串中的MySqlConnection

myconnstringtps = "server=localhost; user id=root; password=1C0cac0la;......" 
conntps = New MySqlConnection(myconnstringtps) 

除此之外，你需要使用參數化查詢，以避免與你的字符串中的單引號和Sql Injection Attack安全問題

Dim Updatepayments As String = "update payments " & _ 
    "set payments.payorname=@name," & _ 
    "payments.cardnumber=@cnum," & _ 
    "payments.bankname=@bank," & _ 
    "payments.checkaccountnumber=@actnum," & _ 
    "payments.checkroutingnumber=@routing," & _ 
    "payments.cardexpirationdate=@monthyear," & _ 
    "payments.cardexpirationmonth=@month," & _ 
    "payments.cardexpirationyear=@year," & _ 
    "payments.cardaddress=@address," & _ 
    "payments.cardzipcode=@zip," & _ 
    "payments.threedigitnumber=@digits " & _ 
    "where payments.filenumber=@file and paymentstatus='PENDING'" 

Dim mycommand As New MySqlCommand(Updatepayments, conntps) 
mycommand.Parameters.AddWithValue("@name", epayorname.Text) 
mycommand.Parameters.AddWithValue("@cnum", eccnumber.Text) 
mycommand.Parameters.AddWithValue("@bank", ebankname.Text) 
mycommand.Parameters.AddWithValue("@actnum", eaccountnumber.Text); 
mycommand.Parameters.AddWithValue("@routing", erouting.Text) 
mycommand.Parameters.AddWithValue("@monthyear", eexpmonth.Text & "/" & eexpireyear.Text) 
mycommand.Parameters.AddWithValue("@month", eexpmonth.Text) 
mycommand.Parameters.AddWithValue("@year", eexpireyear.Text) 
mycommand.Parameters.AddWithValue("@address", eaddy.Text) 
mycommand.Parameters.AddWithValue("@zip", ezip.Text) 
mycommand.Parameters.AddWithValue("@digits", ecvv.Text) 
mycommand.Parameters.AddWithValue("@file", TextBox1.Text) 

問題

其他問題點：你確定你的字段都是字符串類型嗎？您爲每個字段傳遞一個字符串，並用單引號括住該值。如果您的字段中有人不是字符串類型，這可能會失敗。 （特別是這些領域可能是不字符串類型payments.cardnumber，payments.checkaccountnumber，payments.cardexpirationmonth，payments.cardexpirationyear，payments.threedigitnumber）的

Answer 2

紅色警報顯然你是用信用卡信息在這裏處理然而你卻離開了你自己，你的客戶容易受到SQL注入攻擊！

此外，您在公開的互聯網上發佈的代碼中有一個密碼！

（和史蒂夫似乎有正確答案。）

Answer 3

使用命令參數。這使得它更安全（SQL injection），更容易處理。

Dim Updatepayments As String = "UPDATE payments SET payments.payorname=@1, " & _ 
    "payments.cardnumber=@2, ..." & _ 
    "WHERE payments.filenumber=@11 AND paymentstatus='PENDING';" 

mycommand.Parameters.AddWithValue("@1", epayorname.Text); 
mycommand.Parameters.AddWithValue("@2", eccnumber.Text); 
... 

您也可以使用參數的名稱，如@epayorname與SQL-Server，但一些連接類型（如ODBC）只允許位置參數。